[dpdk-dev] [PATCH v1 1/4] raw/ifpga/base: use trusted buffer to free

[Zhang, Tianfei]

> -----Original Message-----
> From: Huang, Wei <wei.huang at intel.com>
> Sent: 2021年3月17日 16:22
> To: dev at dpdk.org; Xu, Rosen <rosen.xu at intel.com>; Zhang, Qi Z
> <qi.z.zhang at intel.com>
> Cc: stable at dpdk.org; Zhang, Tianfei <tianfei.zhang at intel.com>; Huang, Wei
> <wei.huang at intel.com>
> Subject: [PATCH v1 1/4] raw/ifpga/base: use trusted buffer to free
> 
> In write_flash_image(), calling function "read" may taints variable "buf" which
> turn to an untrusted value as argument of "rte_free".
> 
> Coverity issue: 367477
> Fixes: 7a4f3993f269 ("raw/ifpga: add FPGA RSU APIs")
> 
> Signed-off-by: Wei Huang <wei.huang at intel.com>
> ---
>  drivers/raw/ifpga/base/ifpga_fme_rsu.c | 4 +++-
>  1 file changed, 3 insertions(+), 1 deletion(-)
> 
> diff --git a/drivers/raw/ifpga/base/ifpga_fme_rsu.c
> b/drivers/raw/ifpga/base/ifpga_fme_rsu.c
> index 28198abd78..d32f1eccb1 100644
> --- a/drivers/raw/ifpga/base/ifpga_fme_rsu.c
> +++ b/drivers/raw/ifpga/base/ifpga_fme_rsu.c
> @@ -92,6 +92,7 @@ static int write_flash_image(struct ifpga_sec_mgr *smgr,
> const char *image,
>  	uint32_t offset)
>  {
>  	void *buf = NULL;
> +	void *buf_to_free = NULL;
>  	int retry = 0;
>  	uint32_t length = 0;
>  	uint32_t to_transfer = 0;
> @@ -122,6 +123,7 @@ static int write_flash_image(struct ifpga_sec_mgr
> *smgr, const char *image,
>  		close(fd);
>  		return -ENOMEM;
>  	}
> +	buf_to_free = buf;
> 
>  	length = smgr->rsu_length;
>  	one_percent = length / 100;
> @@ -177,7 +179,7 @@ static int write_flash_image(struct ifpga_sec_mgr
> *smgr, const char *image,
>  	printf("\n");
> 
>  end:
> -	free(buf);
> +	free(buf_to_free);
>  	close(fd);
>  	return ret;
>  }

Acked-by: Tianfei zhang <Tianfei.zhang at intel.com>

> --
> 2.29.2