diff mbox

[dpdk-dev,v4,02/18] net/nfp: solve buffer overflow

Message ID 152600312580.53146.1090136345409468008.stgit@localhost.localdomain (mailing list archive)
State Superseded, archived
Headers

Checks

Context Check Description
ci/checkpatch success coding style OK
ci/Intel-compilation success Compilation OK

Commit Message

Andy Green May 11, 2018, 1:45 a.m. UTC 
  /home/agreen/projects/dpdk/drivers/net/nfp/nfp_net.c: In
function ‘nfp_pf_pci_probe’:
/home/agreen/projects/dpdk/drivers/net/nfp/nfp_net.c:3160:
23: error: ‘%s’ directive writing up to 99 bytes into a
region of size 76 [-Werror=format-overflow=]
  sprintf(fw_name, "%s/%s.nffw", DEFAULT_FW_PATH, serial);

Note fw_buf still has to increase somewhat even after
restricting serial[], since otherwise:

/home/agreen/projects/dpdk/drivers/net/nfp/nfp_net.c: In
function ‘nfp_pf_pci_probe’:
/home/agreen/projects/dpdk/drivers/net/nfp/nfp_net.c:3176:23:
error: ‘%s’ directive writing up to 99 bytes into a region
of size 76 [-Werror=format-overflow=]
  sprintf(fw_name, "%s/%s", DEFAULT_FW_PATH, card);
                       ^~
/home/agreen/projects/dpdk/drivers/net/nfp/nfp_net.c:3262:32:
  err = nfp_fw_upload(dev, nsp, card_desc);
                                ~~~~~~~~~
/home/agreen/projects/dpdk/drivers/net/nfp/nfp_net.c:3176:2:
note: ‘sprintf’ output between 25 and 124 bytes into a
destination of size 100
  sprintf(fw_name, "%s/%s", DEFAULT_FW_PATH, card);

Signed-off-by: Andy Green <andy@warmcat.com>
---
 drivers/net/nfp/nfp_net.c |    4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

Comments

De Lara Guarch, Pablo May 11, 2018, 8:58 a.m. UTC | #1 
> -----Original Message-----

> From: dev [mailto:dev-bounces@dpdk.org] On Behalf Of Andy Green

> Sent: Friday, May 11, 2018 2:45 AM

> To: dev@dpdk.org

> Subject: [dpdk-dev] [PATCH v4 02/18] net/nfp: solve buffer overflow

> 

> /home/agreen/projects/dpdk/drivers/net/nfp/nfp_net.c: In function

> ‘nfp_pf_pci_probe’:

> /home/agreen/projects/dpdk/drivers/net/nfp/nfp_net.c:3160:

> 23: error: ‘%s’ directive writing up to 99 bytes into a region of size 76 [-

> Werror=format-overflow=]

>   sprintf(fw_name, "%s/%s.nffw", DEFAULT_FW_PATH, serial);

> 

> Note fw_buf still has to increase somewhat even after restricting serial[], since

> otherwise:

> 

> /home/agreen/projects/dpdk/drivers/net/nfp/nfp_net.c: In function

> ‘nfp_pf_pci_probe’:

> /home/agreen/projects/dpdk/drivers/net/nfp/nfp_net.c:3176:23:

> error: ‘%s’ directive writing up to 99 bytes into a region of size 76 [-

> Werror=format-overflow=]

>   sprintf(fw_name, "%s/%s", DEFAULT_FW_PATH, card);

>                        ^~

> /home/agreen/projects/dpdk/drivers/net/nfp/nfp_net.c:3262:32:

>   err = nfp_fw_upload(dev, nsp, card_desc);

>                                 ~~~~~~~~~

> /home/agreen/projects/dpdk/drivers/net/nfp/nfp_net.c:3176:2:

> note: ‘sprintf’ output between 25 and 124 bytes into a destination of size 100

>   sprintf(fw_name, "%s/%s", DEFAULT_FW_PATH, card);

> 

> Signed-off-by: Andy Green <andy@warmcat.com>


Missing fixes line and CC stable.

Fixes: 896c265ef954 ("net/nfp: use new CPP interface")
Cc: stable@dpdk.org

Acked-by: Pablo de Lara <pablo.de.lara.guarch@intel.com>
De Lara Guarch, Pablo May 11, 2018, 10:13 a.m. UTC | #2 
Hi,

> -----Original Message-----

> From: De Lara Guarch, Pablo

> Sent: Friday, May 11, 2018 9:58 AM

> To: 'Andy Green' <andy@warmcat.com>; dev@dpdk.org

> Cc: stable@dpdk.org

> Subject: RE: [dpdk-dev] [PATCH v4 02/18] net/nfp: solve buffer overflow

> 

> 

> 

> > -----Original Message-----

> > From: dev [mailto:dev-bounces@dpdk.org] On Behalf Of Andy Green

> > Sent: Friday, May 11, 2018 2:45 AM

> > To: dev@dpdk.org

> > Subject: [dpdk-dev] [PATCH v4 02/18] net/nfp: solve buffer overflow

> >

> > /home/agreen/projects/dpdk/drivers/net/nfp/nfp_net.c: In function

> > ‘nfp_pf_pci_probe’:

> > /home/agreen/projects/dpdk/drivers/net/nfp/nfp_net.c:3160:

> > 23: error: ‘%s’ directive writing up to 99 bytes into a region of size

> > 76 [- Werror=format-overflow=]

> >   sprintf(fw_name, "%s/%s.nffw", DEFAULT_FW_PATH, serial);

> >

> > Note fw_buf still has to increase somewhat even after restricting

> > serial[], since

> > otherwise:

> >

> > /home/agreen/projects/dpdk/drivers/net/nfp/nfp_net.c: In function

> > ‘nfp_pf_pci_probe’:

> > /home/agreen/projects/dpdk/drivers/net/nfp/nfp_net.c:3176:23:

> > error: ‘%s’ directive writing up to 99 bytes into a region of size 76

> > [- Werror=format-overflow=]

> >   sprintf(fw_name, "%s/%s", DEFAULT_FW_PATH, card);

> >                        ^~

> > /home/agreen/projects/dpdk/drivers/net/nfp/nfp_net.c:3262:32:

> >   err = nfp_fw_upload(dev, nsp, card_desc);

> >                                 ~~~~~~~~~

> > /home/agreen/projects/dpdk/drivers/net/nfp/nfp_net.c:3176:2:

> > note: ‘sprintf’ output between 25 and 124 bytes into a destination of size 100

> >   sprintf(fw_name, "%s/%s", DEFAULT_FW_PATH, card);

> >

> > Signed-off-by: Andy Green <andy@warmcat.com>

> 

> Missing fixes line and CC stable.

> 

> Fixes: 896c265ef954 ("net/nfp: use new CPP interface")

> Cc: stable@dpdk.org

> 

> Acked-by: Pablo de Lara <pablo.de.lara.guarch@intel.com>


Actually, this does not need to be backported to stable, as it was merged in this release.
Sorry about the noise.
diff mbox

Patch

diff --git a/drivers/net/nfp/nfp_net.c b/drivers/net/nfp/nfp_net.c
index 048324ec9..78113b41b 100644
--- a/drivers/net/nfp/nfp_net.c
+++ b/drivers/net/nfp/nfp_net.c
@@ -3144,8 +3144,8 @@  nfp_fw_upload(struct rte_pci_device *dev, struct nfp_nsp *nsp, char *card)
 	struct nfp_cpp *cpp = nsp->cpp;
 	int fw_f;
 	char *fw_buf;
-	char fw_name[100];
-	char serial[100];
+	char fw_name[125];
+	char serial[40];
 	struct stat file_stat;
 	off_t fsize, bytes;