From: Yunjian Wang Date: Fri, 27 Mar 2020 08:09:55 +0000 (+0100) Subject: kvargs: fix buffer overflow when parsing list X-Git-Url: http://git.droids-corp.org/?a=commitdiff_plain;h=ffcf831454a93c1da54299d4066dd03de6712a9b;p=dpdk.git kvargs: fix buffer overflow when parsing list When the input string is "key=[", the ending '\0' is replaced by a ',', leading to a heap buffer overflow. Check the content of ctx1 to avoid this problem. Fixes: cc0579f2339a ("kvargs: support list value") Cc: stable@dpdk.org Signed-off-by: Yunjian Wang Signed-off-by: Olivier Matz Reviewed-by: David Marchand --- diff --git a/app/test/test_kvargs.c b/app/test/test_kvargs.c index f823b771fb..2a2dae43a0 100644 --- a/app/test/test_kvargs.c +++ b/app/test/test_kvargs.c @@ -217,6 +217,7 @@ static int test_invalid_kvargs(void) "foo=1,=2", /* no key */ "foo=[1,2", /* no closing bracket in value */ ",=", /* also test with a smiley */ + "foo=[", /* no value in list and no closing bracket */ NULL }; const char **args; const char *valid_keys_list[] = { "foo", "check", NULL }; diff --git a/lib/librte_kvargs/rte_kvargs.c b/lib/librte_kvargs/rte_kvargs.c index d39332999e..1d815dcd96 100644 --- a/lib/librte_kvargs/rte_kvargs.c +++ b/lib/librte_kvargs/rte_kvargs.c @@ -50,6 +50,8 @@ rte_kvargs_tokenize(struct rte_kvargs *kvlist, const char *params) /* Find the end of the list. */ while (str[strlen(str) - 1] != ']') { /* Restore the comma erased by strtok_r(). */ + if (ctx1[0] == '\0') + return -1; /* no closing bracket */ str[strlen(str)] = ','; /* Parse until next comma. */ str = strtok_r(NULL, RTE_KVARGS_PAIRS_DELIM, &ctx1);