eal/linux: fix illegal memory access in uevent handler

'recv()' fills the 'buf', later 'strlcpy()' used to copy from this buffer.
But as coverity warns 'recv()' doesn't guarantee that 'buf' is
null-terminated, but 'strlcpy()' requires it.

Enlarge 'buf' size to 'EAL_UEV_MSG_LEN + 1' and ensure the last one can
be set to 0 when received buffer size is EAL_UEV_MSG_LEN.

CID 375864:  Memory - illegal accesses  (STRING_NULL)
Passing unterminated string "buf" to "dev_uev_parse", which expects
a null-terminated string.

Coverity issue: 375864
Fixes: 0d0f478d0483 ("eal/linux: add uevent parse and process")
Cc: stable@dpdk.org
Signed-off-by: Steve Yang <stevex.yang@intel.com>
Acked-by: Ferruh Yigit <ferruh.yigit@intel.com>

diff --git a/lib/eal/linux/eal_dev.c b/lib/eal/linux/eal_dev.c
index f6e5861..e6f509b 100644 (file)
--- a/lib/eal/linux/eal_dev.c
+++ b/lib/eal/linux/eal_dev.c
@@ -227,13 +227,13 @@ dev_uev_handler(__rte_unused void *param)
 {
        struct rte_dev_event uevent;
        int ret;
-       char buf[EAL_UEV_MSG_LEN];
+       char buf[EAL_UEV_MSG_LEN + 1];
        struct rte_bus *bus;
        struct rte_device *dev;
        const char *busname = "";
 
        memset(&uevent, 0, sizeof(struct rte_dev_event));
-       memset(buf, 0, EAL_UEV_MSG_LEN);
+       memset(buf, 0, EAL_UEV_MSG_LEN + 1);
 
        if (rte_intr_fd_get(intr_handle) < 0)
                return;