[dpdk-stable] patch 'kvargs: fix buffer overflow when parsing list' has been queued to LTS release 18.11.9
Kevin Traynor
ktraynor at redhat.com
Thu May 28 18:22:13 CEST 2020
Hi,
FYI, your patch has been queued to LTS release 18.11.9
Note it hasn't been pushed to http://dpdk.org/browse/dpdk-stable yet.
It will be pushed if I get no objections before 06/03/20. So please
shout if anyone has objections.
Also note that after the patch there's a diff of the upstream commit vs the
patch applied to the branch. This will indicate if there was any rebasing
needed to apply to the stable branch. If there were code changes for rebasing
(ie: not only metadata diffs), please double check that the rebase was
correctly done.
Queued patches are on a temporary branch at:
https://github.com/kevintraynor/dpdk-stable-queue
This queued commit can be viewed at:
https://github.com/kevintraynor/dpdk-stable-queue/commit/a27225ff8f76afc7a2ee1b3710eb8fef5189efe5
Thanks.
Kevin.
---
>From a27225ff8f76afc7a2ee1b3710eb8fef5189efe5 Mon Sep 17 00:00:00 2001
From: Yunjian Wang <wangyunjian at huawei.com>
Date: Fri, 27 Mar 2020 09:09:55 +0100
Subject: [PATCH] kvargs: fix buffer overflow when parsing list
[ upstream commit ffcf831454a93c1da54299d4066dd03de6712a9b ]
When the input string is "key=[", the ending '\0' is replaced
by a ',', leading to a heap buffer overflow.
Check the content of ctx1 to avoid this problem.
Fixes: cc0579f2339a ("kvargs: support list value")
Signed-off-by: Yunjian Wang <wangyunjian at huawei.com>
Signed-off-by: Olivier Matz <olivier.matz at 6wind.com>
Reviewed-by: David Marchand <david.marchand at redhat.com>
---
lib/librte_kvargs/rte_kvargs.c | 2 ++
test/test/test_kvargs.c | 1 +
2 files changed, 3 insertions(+)
diff --git a/lib/librte_kvargs/rte_kvargs.c b/lib/librte_kvargs/rte_kvargs.c
index f7030c63b7..a8a5cb50b9 100644
--- a/lib/librte_kvargs/rte_kvargs.c
+++ b/lib/librte_kvargs/rte_kvargs.c
@@ -51,4 +51,6 @@ rte_kvargs_tokenize(struct rte_kvargs *kvlist, const char *params)
while (str[strlen(str) - 1] != ']') {
/* Restore the comma erased by strtok_r(). */
+ if (ctx1[0] == '\0')
+ return -1; /* no closing bracket */
str[strlen(str)] = ',';
/* Parse until next comma. */
diff --git a/test/test/test_kvargs.c b/test/test/test_kvargs.c
index f823b771fb..2a2dae43a0 100644
--- a/test/test/test_kvargs.c
+++ b/test/test/test_kvargs.c
@@ -218,4 +218,5 @@ static int test_invalid_kvargs(void)
"foo=[1,2", /* no closing bracket in value */
",=", /* also test with a smiley */
+ "foo=[", /* no value in list and no closing bracket */
NULL };
const char **args;
--
2.21.3
---
Diff of the applied patch vs upstream commit (please double-check if non-empty:
---
--- - 2020-05-28 17:13:00.521662253 +0100
+++ 0026-kvargs-fix-buffer-overflow-when-parsing-list.patch 2020-05-28 17:12:59.086556740 +0100
@@ -1 +1 @@
-From ffcf831454a93c1da54299d4066dd03de6712a9b Mon Sep 17 00:00:00 2001
+From a27225ff8f76afc7a2ee1b3710eb8fef5189efe5 Mon Sep 17 00:00:00 2001
@@ -5,0 +6,2 @@
+[ upstream commit ffcf831454a93c1da54299d4066dd03de6712a9b ]
+
@@ -12 +13,0 @@
-Cc: stable at dpdk.org
@@ -18 +18,0 @@
- app/test/test_kvargs.c | 1 +
@@ -19,0 +20 @@
+ test/test/test_kvargs.c | 1 +
@@ -22,10 +22,0 @@
-diff --git a/app/test/test_kvargs.c b/app/test/test_kvargs.c
-index f823b771fb..2a2dae43a0 100644
---- a/app/test/test_kvargs.c
-+++ b/app/test/test_kvargs.c
-@@ -218,4 +218,5 @@ static int test_invalid_kvargs(void)
- "foo=[1,2", /* no closing bracket in value */
- ",=", /* also test with a smiley */
-+ "foo=[", /* no value in list and no closing bracket */
- NULL };
- const char **args;
@@ -33 +24 @@
-index d39332999e..1d815dcd96 100644
+index f7030c63b7..a8a5cb50b9 100644
@@ -42,0 +34,10 @@
+diff --git a/test/test/test_kvargs.c b/test/test/test_kvargs.c
+index f823b771fb..2a2dae43a0 100644
+--- a/test/test/test_kvargs.c
++++ b/test/test/test_kvargs.c
+@@ -218,4 +218,5 @@ static int test_invalid_kvargs(void)
+ "foo=[1,2", /* no closing bracket in value */
+ ",=", /* also test with a smiley */
++ "foo=[", /* no value in list and no closing bracket */
+ NULL };
+ const char **args;
More information about the stable
mailing list