https://bugs.dpdk.org/show_bug.cgi?id=792
Bug ID: 792
Summary: The dev_uev_parse function has a stack overflow bug.
Product: DPDK
Version: 21.08
Hardware: All
OS: All
Status: UNCONFIRMED
Severity: normal
Priority: Normal
Component: core
Assignee: dev@dpdk.org
Reporter: zhihongx.p...@intel.com
Target Milestone: ---
Code:
static int
dev_uev_parse(const char *buf, struct rte_dev_event *event, int length)
{
char action[EAL_UEV_MSG_ELEM_LEN];
char subsystem[EAL_UEV_MSG_ELEM_LEN];
char pci_slot_name[EAL_UEV_MSG_ELEM_LEN];
int i = 0;
memset(action, 0, EAL_UEV_MSG_ELEM_LEN);
memset(subsystem, 0, EAL_UEV_MSG_ELEM_LEN);
memset(pci_slot_name, 0, EAL_UEV_MSG_ELEM_LEN);
while (i < length) {
for (; i < length; i++) {
if (*buf)
break;
buf++;
}
/**
* check device uevent from kernel side, no need to check
* uevent from udev.
*/
if (!strncmp(buf, "libudev", 7)) {
buf += 7;
i += 7;
return -1;
}
if (!strncmp(buf, "ACTION=", 7)) {
buf += 7;
i += 7;
strlcpy(action, buf, sizeof(action));
} else if (!strncmp(buf, "SUBSYSTEM=", 10)) {
buf += 10;
i += 10;
strlcpy(subsystem, buf, sizeof(subsystem));
} else if (!strncmp(buf, "PCI_SLOT_NAME=", 14)) {
buf += 14;
i += 14;
strlcpy(pci_slot_name, buf, sizeof(subsystem));
event->devname = strdup(pci_slot_name);
}
Bug description:
Because the minimum length of the buff is not judged, when the length of the
buff is less than 7, strncmp will stack buff overflow.
--
You are receiving this mail because:
You are the assignee for the bug.
