From ceccbcd73829c495e148e3380de916ef4874c104 Mon Sep 17 00:00:00 2001 From: Wei Huang Date: Fri, 30 Oct 2020 03:35:07 -0400 Subject: [PATCH] raw/ifpga: use trusted buffer to free In rte_fpga_do_pr, calling function read() may taints argument buffer which turn to an untrusted value as argument of rte_free(). Coverity issue: 279449 Fixes: ef1e8ede3da5 ("raw/ifpga: add Intel FPGA bus rawdev driver") Cc: stable@dpdk.org Signed-off-by: Wei Huang Acked-by: Qi Zhang --- drivers/raw/ifpga/ifpga_rawdev.c | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/drivers/raw/ifpga/ifpga_rawdev.c b/drivers/raw/ifpga/ifpga_rawdev.c index f9de1677b4..27129b133e 100644 --- a/drivers/raw/ifpga/ifpga_rawdev.c +++ b/drivers/raw/ifpga/ifpga_rawdev.c @@ -786,7 +786,7 @@ rte_fpga_do_pr(struct rte_rawdev *rawdev, int port_id, int file_fd; int ret = 0; ssize_t buffer_size; - void *buffer; + void *buffer, *buf_to_free; u64 pr_error; if (!file_name) @@ -818,6 +818,7 @@ rte_fpga_do_pr(struct rte_rawdev *rawdev, int port_id, ret = -ENOMEM; goto close_fd; } + buf_to_free = buffer; /*read the raw data*/ if (buffer_size != read(file_fd, (void *)buffer, buffer_size)) { @@ -835,8 +836,8 @@ rte_fpga_do_pr(struct rte_rawdev *rawdev, int port_id, } free_buffer: - if (buffer) - rte_free(buffer); + if (buf_to_free) + rte_free(buf_to_free); close_fd: close(file_fd); file_fd = 0; -- 2.20.1