From patchwork Fri Apr 23 07:38:08 2021
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: "humin (Q)" <humin29@huawei.com>
X-Patchwork-Id: 92053
X-Patchwork-Delegate: jerinj@marvell.com
Return-Path: <dev-bounces@dpdk.org>
X-Original-To: patchwork@inbox.dpdk.org
Delivered-To: patchwork@inbox.dpdk.org
Received: from mails.dpdk.org (mails.dpdk.org [217.70.189.124])
	by inbox.dpdk.org (Postfix) with ESMTP id 433F7A0548;
	Fri, 23 Apr 2021 09:38:14 +0200 (CEST)
Received: from [217.70.189.124] (localhost [127.0.0.1])
	by mails.dpdk.org (Postfix) with ESMTP id BECEA4067E;
	Fri, 23 Apr 2021 09:38:13 +0200 (CEST)
Received: from szxga04-in.huawei.com (szxga04-in.huawei.com [45.249.212.190])
 by mails.dpdk.org (Postfix) with ESMTP id EF03B4014F
 for <dev@dpdk.org>; Fri, 23 Apr 2021 09:38:11 +0200 (CEST)
Received: from DGGEMS414-HUB.china.huawei.com (unknown [172.30.72.58])
 by szxga04-in.huawei.com (SkyGuard) with ESMTP id 4FRR0T62F8z1BH9K;
 Fri, 23 Apr 2021 15:35:37 +0800 (CST)
Received: from localhost.localdomain (10.69.192.56) by
 DGGEMS414-HUB.china.huawei.com (10.3.19.214) with Microsoft SMTP Server id
 14.3.498.0; Fri, 23 Apr 2021 15:37:58 +0800
From: "Min Hu (Connor)" <humin29@huawei.com>
To: <dev@dpdk.org>
CC: <ferruh.yigit@intel.com>, <jerinj@marvell.com>, <thomas@monjalon.net>
Date: Fri, 23 Apr 2021 15:38:08 +0800
Message-ID: <1619163488-63913-1-git-send-email-humin29@huawei.com>
X-Mailer: git-send-email 2.7.4
MIME-Version: 1.0
X-Originating-IP: [10.69.192.56]
X-CFilter-Loop: Reflected
Subject: [dpdk-dev] [PATCH] app/testeventdev: fix buffer overflow
X-BeenThere: dev@dpdk.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: DPDK patches and discussions <dev.dpdk.org>
List-Unsubscribe: <https://mails.dpdk.org/options/dev>,
 <mailto:dev-request@dpdk.org?subject=unsubscribe>
List-Archive: <http://mails.dpdk.org/archives/dev/>
List-Post: <mailto:dev@dpdk.org>
List-Help: <mailto:dev-request@dpdk.org?subject=help>
List-Subscribe: <https://mails.dpdk.org/listinfo/dev>,
 <mailto:dev-request@dpdk.org?subject=subscribe>
Errors-To: dev-bounces@dpdk.org
Sender: "dev" <dev-bounces@dpdk.org>

Tainted and unvalidated integer 'idx' used as an index, which may
lead to buffer overflow.

This patch fixed it.

Fixes: 89e5eb118017 ("app/testeventdev: add string parsing helpers")
Cc: stable@dpdk.org

Signed-off-by: Min Hu (Connor) <humin29@huawei.com>
Acked-by: Pavan Nikhilesh <pbhagavatula@marvell.com>
---
 app/test-eventdev/evt_options.c | 4 ++--
 app/test-eventdev/parser.c      | 6 ++++--
 app/test-eventdev/parser.h      | 2 +-
 3 files changed, 7 insertions(+), 5 deletions(-)

diff --git a/app/test-eventdev/evt_options.c b/app/test-eventdev/evt_options.c
index 0d55405..061b63e 100644
--- a/app/test-eventdev/evt_options.c
+++ b/app/test-eventdev/evt_options.c
@@ -221,7 +221,7 @@ evt_parse_plcores(struct evt_options *opt, const char *corelist)
 {
 	int ret;
 
-	ret = parse_lcores_list(opt->plcores, corelist);
+	ret = parse_lcores_list(opt->plcores, RTE_MAX_LCORE, corelist);
 	if (ret == -E2BIG)
 		evt_err("duplicate lcores in plcores");
 
@@ -233,7 +233,7 @@ evt_parse_work_lcores(struct evt_options *opt, const char *corelist)
 {
 	int ret;
 
-	ret = parse_lcores_list(opt->wlcores, corelist);
+	ret = parse_lcores_list(opt->wlcores, RTE_MAX_LCORE, corelist);
 	if (ret == -E2BIG)
 		evt_err("duplicate lcores in wlcores");
 
diff --git a/app/test-eventdev/parser.c b/app/test-eventdev/parser.c
index 24f1855..7a973cb 100644
--- a/app/test-eventdev/parser.c
+++ b/app/test-eventdev/parser.c
@@ -310,7 +310,7 @@ parse_hex_string(char *src, uint8_t *dst, uint32_t *size)
 }
 
 int
-parse_lcores_list(bool lcores[], const char *corelist)
+parse_lcores_list(bool lcores[], int lcores_num, const char *corelist)
 {
 	int i, idx = 0;
 	int min, max;
@@ -332,6 +332,8 @@ parse_lcores_list(bool lcores[], const char *corelist)
 		if (*corelist == '\0')
 			return -1;
 		idx = strtoul(corelist, &end, 10);
+		if (idx < 0 || idx > lcores_num)
+			return -1;
 
 		if (end == NULL)
 			return -1;
@@ -343,7 +345,7 @@ parse_lcores_list(bool lcores[], const char *corelist)
 			max = idx;
 			if (min == RTE_MAX_LCORE)
 				min = idx;
-			for (idx = min; idx <= max; idx++) {
+			for (idx = min; idx < max; idx++) {
 				if (lcores[idx] == 1)
 					return -E2BIG;
 				lcores[idx] = 1;
diff --git a/app/test-eventdev/parser.h b/app/test-eventdev/parser.h
index 673ff22..696b40a 100644
--- a/app/test-eventdev/parser.h
+++ b/app/test-eventdev/parser.h
@@ -46,5 +46,5 @@ int parse_hex_string(char *src, uint8_t *dst, uint32_t *size);
 
 int parse_tokenize_string(char *string, char *tokens[], uint32_t *n_tokens);
 
-int parse_lcores_list(bool lcores[], const char *corelist);
+int parse_lcores_list(bool lcores[], int lcores_num, const char *corelist);
 #endif