kvargs: fix crash when parsing an invalid token on FreeBSD
Checks
Commit Message
The behavior of strtok_r() is not the same between GNU libc and FreeBSD
libc: in the first case, the context is set to "" when the last token is
returned, while in the second case it is set to NULL.
On FreeBSD, the current code crashes because we are dereferencing a NULL
pointer (ctx1). Fix it by first checking if it is NULL. This works with
both GNU and FreeBSD libc.
Fixes: ffcf831454a9 ("kvargs: fix buffer overflow when parsing list")
Cc: stable@dpdk.org
Signed-off-by: Olivier Matz <olivier.matz@6wind.com>
---
lib/librte_kvargs/rte_kvargs.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
Comments
Tested-by: Huang, ZhiminX <zhiminx.huang@intel.com>
Regards,
HuangZhiMin
-----Original Message-----
From: dev [mailto:dev-bounces@dpdk.org] On Behalf Of Olivier Matz
Sent: Wednesday, April 29, 2020 9:17 PM
To: dev@dpdk.org
Cc: stable@dpdk.org
Subject: [dpdk-dev] [PATCH] kvargs: fix crash when parsing an invalid token on FreeBSD
The behavior of strtok_r() is not the same between GNU libc and FreeBSD
libc: in the first case, the context is set to "" when the last token is returned, while in the second case it is set to NULL.
On FreeBSD, the current code crashes because we are dereferencing a NULL pointer (ctx1). Fix it by first checking if it is NULL. This works with both GNU and FreeBSD libc.
Fixes: ffcf831454a9 ("kvargs: fix buffer overflow when parsing list")
Cc: stable@dpdk.org
Signed-off-by: Olivier Matz <olivier.matz@6wind.com>
---
lib/librte_kvargs/rte_kvargs.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/lib/librte_kvargs/rte_kvargs.c b/lib/librte_kvargs/rte_kvargs.c index 1d815dcd9..285081c86 100644
--- a/lib/librte_kvargs/rte_kvargs.c
+++ b/lib/librte_kvargs/rte_kvargs.c
@@ -50,7 +50,7 @@ rte_kvargs_tokenize(struct rte_kvargs *kvlist, const char *params)
/* Find the end of the list. */
while (str[strlen(str) - 1] != ']') {
/* Restore the comma erased by strtok_r(). */
- if (ctx1[0] == '\0')
+ if (ctx1 == NULL || ctx1[0] == '\0')
return -1; /* no closing bracket */
str[strlen(str)] = ',';
/* Parse until next comma. */
--
2.25.1
On Wed, Apr 29, 2020 at 3:17 PM Olivier Matz <olivier.matz@6wind.com> wrote:
>
> The behavior of strtok_r() is not the same between GNU libc and FreeBSD
> libc: in the first case, the context is set to "" when the last token is
> returned, while in the second case it is set to NULL.
>
> On FreeBSD, the current code crashes because we are dereferencing a NULL
> pointer (ctx1). Fix it by first checking if it is NULL. This works with
> both GNU and FreeBSD libc.
>
> Fixes: ffcf831454a9 ("kvargs: fix buffer overflow when parsing list")
> Cc: stable@dpdk.org
>
> Signed-off-by: Olivier Matz <olivier.matz@6wind.com>
Tested-by: Zhimin Huang <zhiminx.huang@intel.com>
Applied, thanks.
@@ -50,7 +50,7 @@ rte_kvargs_tokenize(struct rte_kvargs *kvlist, const char *params)
/* Find the end of the list. */
while (str[strlen(str) - 1] != ']') {
/* Restore the comma erased by strtok_r(). */
- if (ctx1[0] == '\0')
+ if (ctx1 == NULL || ctx1[0] == '\0')
return -1; /* no closing bracket */
str[strlen(str)] = ',';
/* Parse until next comma. */