[dpdk-dev] ethdev: fix invalid length write on dev detach
Checks
Commit Message
The name of a device is copied in a provided buffer within
rte_eth_dev_detach(). The current sizeof is done on a pointer instead of
the intended array usually pointed to.
The name field of an rte_device is not assured however to point an
rte_devargs name field. The almost correct length to base this copy over
is thus RTE_DEV_NAME_MAX_LEN.
Almost correct, because unfortunately this function does not allow the
user to pass down a size parameter for the buffer it is meant to write.
This API should be fixed, it is broken by design.
Fixes: a1e7c17555e8 ("ethdev: use device name from device structure")
Cc: Ferruh Yigit <ferruh.yigit@intel.com>
Signed-off-by: Gaetan Rivet <gaetan.rivet@6wind.com>
---
lib/librte_ether/rte_ethdev.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
Comments
31/07/2017 12:29, Gaetan Rivet:
> The name of a device is copied in a provided buffer within
> rte_eth_dev_detach(). The current sizeof is done on a pointer instead of
> the intended array usually pointed to.
>
> The name field of an rte_device is not assured however to point an
> rte_devargs name field. The almost correct length to base this copy over
> is thus RTE_DEV_NAME_MAX_LEN.
>
> Almost correct, because unfortunately this function does not allow the
> user to pass down a size parameter for the buffer it is meant to write.
> This API should be fixed, it is broken by design.
Yes we must discuss the future of this API function.
In the meantime, this limitation (size expectation) should be documented
in the doxygen comment. v2 please?
On Mon, Jul 31, 2017 at 03:27:29PM +0200, Thomas Monjalon wrote:
> 31/07/2017 12:29, Gaetan Rivet:
> > The name of a device is copied in a provided buffer within
> > rte_eth_dev_detach(). The current sizeof is done on a pointer instead of
> > the intended array usually pointed to.
> >
> > The name field of an rte_device is not assured however to point an
> > rte_devargs name field. The almost correct length to base this copy over
> > is thus RTE_DEV_NAME_MAX_LEN.
> >
> > Almost correct, because unfortunately this function does not allow the
> > user to pass down a size parameter for the buffer it is meant to write.
> > This API should be fixed, it is broken by design.
>
> Yes we must discuss the future of this API function.
>
> In the meantime, this limitation (size expectation) should be documented
> in the doxygen comment. v2 please?
>
Sure
@@ -436,8 +436,8 @@ rte_eth_dev_detach(uint8_t port_id, char *name)
if (rte_eth_dev_is_detachable(port_id))
goto err;
- snprintf(name, sizeof(rte_eth_devices[port_id].device->name),
- "%s", rte_eth_devices[port_id].device->name);
+ snprintf(name, RTE_DEV_NAME_MAX_LEN, "%s",
+ rte_eth_devices[port_id].device->name);
ret = rte_eal_dev_detach(rte_eth_devices[port_id].device);
if (ret < 0)