From patchwork Fri Mar 31 13:52:01 2017 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Allain Legacy X-Patchwork-Id: 23022 X-Patchwork-Delegate: thomas@monjalon.net Return-Path: X-Original-To: patchwork@dpdk.org Delivered-To: patchwork@dpdk.org Received: from [92.243.14.124] (localhost [IPv6:::1]) by dpdk.org (Postfix) with ESMTP id DD1642E8B; Fri, 31 Mar 2017 15:52:52 +0200 (CEST) Received: from mail.windriver.com (mail.windriver.com [147.11.1.11]) by dpdk.org (Postfix) with ESMTP id 562602BE9 for ; Fri, 31 Mar 2017 15:52:30 +0200 (CEST) Received: from ALA-HCA.corp.ad.wrs.com (ala-hca.corp.ad.wrs.com [147.11.189.40]) by mail.windriver.com (8.15.2/8.15.1) with ESMTPS id v2VDqS8W014631 (version=TLSv1 cipher=AES128-SHA bits=128 verify=FAIL); Fri, 31 Mar 2017 06:52:29 -0700 (PDT) Received: from yow-cgts4-lx.wrs.com (128.224.145.137) by ALA-HCA.corp.ad.wrs.com (147.11.189.50) with Microsoft SMTP Server (TLS) id 14.3.294.0; Fri, 31 Mar 2017 06:52:28 -0700 From: Allain Legacy To: , CC: , , Date: Fri, 31 Mar 2017 09:52:01 -0400 Message-ID: <20170331135203.117461-5-allain.legacy@windriver.com> X-Mailer: git-send-email 2.12.1 In-Reply-To: <20170331135203.117461-1-allain.legacy@windriver.com> References: <20170330185407.61220-1-allain.legacy@windriver.com> <20170331135203.117461-1-allain.legacy@windriver.com> MIME-Version: 1.0 X-Originating-IP: [128.224.145.137] Subject: [dpdk-dev] [PATCH v5 4/6] cfgfile: use strnlen to constrain memchr search X-BeenThere: dev@dpdk.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: DPDK patches and discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: dev-bounces@dpdk.org Sender: "dev" The call to memchr() uses the absolute length of the string buffer instead of the actual length of the string returned by fgets(). This causes the search to go beyond the '\n' character and find ';' characters in random garbage on the stack. This then causes the 'len' variable to be updated and the subsequent search for the '=' character to potentially find one beyond the first newline character. Since this bug relies on ';' and '=' characters appearing in random places in the 'buffer' variable it is intermittently reproducible at best. Signed-off-by: Allain Legacy Acked-by: Cristian Dumitrescu --- lib/librte_cfgfile/rte_cfgfile.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lib/librte_cfgfile/rte_cfgfile.c b/lib/librte_cfgfile/rte_cfgfile.c index 63e34bbb0..e4a3885b7 100644 --- a/lib/librte_cfgfile/rte_cfgfile.c +++ b/lib/librte_cfgfile/rte_cfgfile.c @@ -191,7 +191,7 @@ rte_cfgfile_load_with_params(const char *filename, int flags, "Check if line too long\n", lineno); goto error1; } - pos = memchr(buffer, params->comment_character, sizeof(buffer)); + pos = memchr(buffer, params->comment_character, len); if (pos != NULL) { *pos = '\0'; len = pos - buffer;