kvargs: fix buffer overflow when parsing list

When the input string is "key=[", the ending '\0' is replaced
by a ',', leading to a heap buffer overflow.

Check the content of ctx1 to avoid this problem.

Fixes: cc0579f2339a ("kvargs: support list value")
Cc: stable@dpdk.org
Signed-off-by: Yunjian Wang <wangyunjian@huawei.com>
Signed-off-by: Olivier Matz <olivier.matz@6wind.com>
Reviewed-by: David Marchand <david.marchand@redhat.com>

diff --git a/app/test/test_kvargs.c b/app/test/test_kvargs.c
index f823b77..2a2dae4 100644 (file)
--- a/app/test/test_kvargs.c
+++ b/app/test/test_kvargs.c
@@ -217,6 +217,7 @@ static int test_invalid_kvargs(void)
                "foo=1,=2",        /* no key */
                "foo=[1,2",        /* no closing bracket in value */
                ",=",              /* also test with a smiley */
+               "foo=[",           /* no value in list and no closing bracket */
                NULL };
        const char **args;
        const char *valid_keys_list[] = { "foo", "check", NULL };

diff --git a/lib/librte_kvargs/rte_kvargs.c b/lib/librte_kvargs/rte_kvargs.c
index d393329..1d815dc 100644 (file)
--- a/lib/librte_kvargs/rte_kvargs.c
+++ b/lib/librte_kvargs/rte_kvargs.c
@@ -50,6 +50,8 @@ rte_kvargs_tokenize(struct rte_kvargs *kvlist, const char *params)
                        /* Find the end of the list. */
                        while (str[strlen(str) - 1] != ']') {
                                /* Restore the comma erased by strtok_r(). */
+                               if (ctx1[0] == '\0')
+                                       return -1; /* no closing bracket */
                                str[strlen(str)] = ',';
                                /* Parse until next comma. */
                                str = strtok_r(NULL, RTE_KVARGS_PAIRS_DELIM, &ctx1);