From 8eaff74f22cc762e98a4f4adfcbe75e0f74a80a3 Mon Sep 17 00:00:00 2001 From: Allain Legacy Date: Fri, 31 Mar 2017 09:52:01 -0400 Subject: [PATCH] cfgfile: constrain string search The call to memchr() uses the absolute length of the string buffer instead of the actual length of the string returned by fgets(). This causes the search to go beyond the '\n' character and find ';' characters in random garbage on the stack. This then causes the 'len' variable to be updated and the subsequent search for the '=' character to potentially find one beyond the first newline character. Since this bug relies on ';' and '=' characters appearing in random places in the 'buffer' variable it is intermittently reproducible at best. Signed-off-by: Allain Legacy Acked-by: Cristian Dumitrescu --- lib/librte_cfgfile/rte_cfgfile.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lib/librte_cfgfile/rte_cfgfile.c b/lib/librte_cfgfile/rte_cfgfile.c index 63e34bbb0a..e4a3885b70 100644 --- a/lib/librte_cfgfile/rte_cfgfile.c +++ b/lib/librte_cfgfile/rte_cfgfile.c @@ -191,7 +191,7 @@ rte_cfgfile_load_with_params(const char *filename, int flags, "Check if line too long\n", lineno); goto error1; } - pos = memchr(buffer, params->comment_character, sizeof(buffer)); + pos = memchr(buffer, params->comment_character, len); if (pos != NULL) { *pos = '\0'; len = pos - buffer; -- 2.20.1