[dpdk-dev] [PATCH 4/5] cfgfile: use strnlen to constrain memchr search

Allain Legacy allain.legacy at windriver.com
Thu Mar 2 20:29:30 CET 2017

Previous message: [dpdk-dev] [PATCH 3/5] cfgfile: add support for unamed global section
Next message: [dpdk-dev] [PATCH 5/5] cfgfile: increase local buffer size for max name and value
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

The call to memchr() uses the absolute length of the string buffer instead
of the actual length of the string returned by fgets().  This causes the
search to go beyond the '\n' character and find ';' characters in random
garbage on the stack.  This then causes the 'len' variable to be updated
and the subsequent search for the '=' character to potentially find one
beyond the first newline character.

Since this bug relies on ';' and '=' characters appearing in random places
in the 'buffer' variable it is intermittently reproducible at best.

Signed-off-by: Allain Legacy <allain.legacy at windriver.com>
---
 lib/librte_cfgfile/rte_cfgfile.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/lib/librte_cfgfile/rte_cfgfile.c b/lib/librte_cfgfile/rte_cfgfile.c
index 2aba169..28956ea 100644
--- a/lib/librte_cfgfile/rte_cfgfile.c
+++ b/lib/librte_cfgfile/rte_cfgfile.c
@@ -133,7 +133,8 @@ struct rte_cfgfile *
 					"Check if line too long\n", lineno);
 			goto error1;
 		}
-		pos = memchr(buffer, RTE_LIBRTE_CFGFILE_COMMENT_CHAR, len);
+		pos = memchr(buffer, RTE_LIBRTE_CFGFILE_COMMENT_CHAR,
+			     sizeof(buffer));
 		if (pos != NULL) {
 			*pos = '\0';
 			len = pos -  buffer;
-- 
1.8.3.1

Previous message: [dpdk-dev] [PATCH 3/5] cfgfile: add support for unamed global section
Next message: [dpdk-dev] [PATCH 5/5] cfgfile: increase local buffer size for max name and value
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

More information about the dev mailing list