[dpdk-dev] [PATCH] bus/pci: fix driver name string manipulation

[Andy Green]

On 05/15/2018 06:03 PM, Jerin Jacob wrote:
> sizeof(dri_name) is 8B on 64Bit systems.The intended operation is coping
> the string after '/' from the string `name`.
> 
> This bug is not letting to probe any device string >8B hence results in
> the testpmd error("No ethernet devices found) on some PMDs.

You are right... but...

> Cc: Andy Green <andy at warmcat.com>
> Cc: Pablo de Lara <pablo.de.lara.guarch at intel.com>
> 
> Fixes: fe5f777b538 ("bus/pci: replace strncpy by strlcpy")
> 
> Signed-off-by: Jerin Jacob <jerin.jacob at caviumnetworks.com>
> ---
>   drivers/bus/pci/linux/pci.c | 2 +-
>   1 file changed, 1 insertion(+), 1 deletion(-)
> 
> diff --git a/drivers/bus/pci/linux/pci.c b/drivers/bus/pci/linux/pci.c
> index a73ee49c2..cd45875b1 100644
> --- a/drivers/bus/pci/linux/pci.c
> +++ b/drivers/bus/pci/linux/pci.c
> @@ -54,7 +54,7 @@ pci_get_kernel_driver_by_path(const char *filename, char *dri_name)
>   
>   	name = strrchr(path, '/');
>   	if (name) {
> -		strlcpy(dri_name, name + 1, sizeof(dri_name));
> +		strlcpy(dri_name, name + 1, strlen(name));

... this fix is no good.  The underlying problem is the length of 
dri_name is not getting passed into this function... it just doesn't 
know how much of dri_name is safe to use.  Telling it to use the 
strlen() of something unrelated is going to make buffer overflows possible.

I sent a patch to the list a few hours ago that amends this function to 
take the allocated length of dri_name, and sets the limit for the 
strlcpy() to that, so no matter what turns up in name it's not possible 
to blow past dri_name allocation.

[dpdk-dev] [PATCH] bus/pci: correct the earlier strlcpy conversion​

-Andy

>   		return 0;
>   	}
>   
>