From: Min Hu (Connor) Date: Fri, 23 Apr 2021 07:38:08 +0000 (+0800) Subject: app/eventdev: fix overflow in lcore list parsing X-Git-Url: http://git.droids-corp.org/?a=commitdiff_plain;h=32d7dbf269be;p=dpdk.git app/eventdev: fix overflow in lcore list parsing Tainted and unvalidated integer 'idx' used as an index, which may lead to buffer overflow. This patch fixed it. Fixes: 89e5eb118017 ("app/testeventdev: add string parsing helpers") Cc: stable@dpdk.org Signed-off-by: Min Hu (Connor) Acked-by: Pavan Nikhilesh --- diff --git a/app/test-eventdev/evt_options.c b/app/test-eventdev/evt_options.c index 0d55405741..061b63e12e 100644 --- a/app/test-eventdev/evt_options.c +++ b/app/test-eventdev/evt_options.c @@ -221,7 +221,7 @@ evt_parse_plcores(struct evt_options *opt, const char *corelist) { int ret; - ret = parse_lcores_list(opt->plcores, corelist); + ret = parse_lcores_list(opt->plcores, RTE_MAX_LCORE, corelist); if (ret == -E2BIG) evt_err("duplicate lcores in plcores"); @@ -233,7 +233,7 @@ evt_parse_work_lcores(struct evt_options *opt, const char *corelist) { int ret; - ret = parse_lcores_list(opt->wlcores, corelist); + ret = parse_lcores_list(opt->wlcores, RTE_MAX_LCORE, corelist); if (ret == -E2BIG) evt_err("duplicate lcores in wlcores"); diff --git a/app/test-eventdev/parser.c b/app/test-eventdev/parser.c index 24f1855e9a..7a973cbb23 100644 --- a/app/test-eventdev/parser.c +++ b/app/test-eventdev/parser.c @@ -310,7 +310,7 @@ parse_hex_string(char *src, uint8_t *dst, uint32_t *size) } int -parse_lcores_list(bool lcores[], const char *corelist) +parse_lcores_list(bool lcores[], int lcores_num, const char *corelist) { int i, idx = 0; int min, max; @@ -332,6 +332,8 @@ parse_lcores_list(bool lcores[], const char *corelist) if (*corelist == '\0') return -1; idx = strtoul(corelist, &end, 10); + if (idx < 0 || idx > lcores_num) + return -1; if (end == NULL) return -1; @@ -343,7 +345,7 @@ parse_lcores_list(bool lcores[], const char *corelist) max = idx; if (min == RTE_MAX_LCORE) min = idx; - for (idx = min; idx <= max; idx++) { + for (idx = min; idx < max; idx++) { if (lcores[idx] == 1) return -E2BIG; lcores[idx] = 1; diff --git a/app/test-eventdev/parser.h b/app/test-eventdev/parser.h index 673ff22d78..696b40a3e2 100644 --- a/app/test-eventdev/parser.h +++ b/app/test-eventdev/parser.h @@ -46,5 +46,5 @@ int parse_hex_string(char *src, uint8_t *dst, uint32_t *size); int parse_tokenize_string(char *string, char *tokens[], uint32_t *n_tokens); -int parse_lcores_list(bool lcores[], const char *corelist); +int parse_lcores_list(bool lcores[], int lcores_num, const char *corelist); #endif