[PATCH 1/2] lib/pipeline: bound token concatenation when parsing instructions

Pengpeng Hou pengpeng at iscas.ac.cn
Sat Mar 21 03:16:27 CET 2026
Previous message (by thread): [PATCH v2] net/netvsc: switch data path to synthetic on device stop
Next message (by thread): [PATCH 2/2] net/cpfl: validate fieldvector offsets before copying keys
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
action_block_parse() and apply_block_parse() build instruction strings by concatenating untrusted tokens into a fixed-size stack buffer. Replace the open-coded strcat() loop with a helper that tracks the remaining capacity and fails when the assembled instruction would exceed RTE_SWX_INSTRUCTION_SIZE.

Signed-off-by: Pengpeng Hou <pengpeng at iscas.ac.cn>
---
 lib/pipeline/rte_swx_pipeline.c      | 30 ++++++++++++---------
 lib/pipeline/rte_swx_pipeline_spec.c | 40 ++++++++++++++++++----------
 2 files changed, 43 insertions(+), 27 deletions(-)

diff --git a/lib/pipeline/rte_swx_pipeline.c b/lib/pipeline/rte_swx_pipeline.c
index a915781..500b9d7 100644
--- a/lib/pipeline/rte_swx_pipeline.c
+++ b/lib/pipeline/rte_swx_pipeline.c
@@ -11,6 +11,7 @@
 #include <rte_eal_memconfig.h>
 #include <rte_jhash.h>
 #include <rte_hash_crc.h>
+#include <rte_string_fns.h>
 
 #include <rte_swx_port_ethdev.h>
 #include <rte_swx_port_fd.h>
@@ -42,6 +43,9 @@ do {                                                                           \
 	       RTE_SWX_INSTRUCTION_SIZE),                                      \
 	      err_code)
 
+#define CHECK_STRLCPY(dst, src, err_code)                                     \
+	CHECK(strlcpy((dst), (src), sizeof(dst)) < sizeof(dst), err_code)
+
 /*
  * Environment.
  */
@@ -5680,7 +5684,7 @@ instr_jmp_translate(struct rte_swx_pipeline *p __rte_unused,
 {
 	CHECK(n_tokens == 2, EINVAL);
 
-	strcpy(data->jmp_label, tokens[1]);
+	CHECK_STRLCPY(data->jmp_label, tokens[1], EINVAL);
 
 	instr->type = INSTR_JMP;
 	instr->jmp.ip = NULL; /* Resolved later. */
@@ -5699,7 +5703,7 @@ instr_jmp_valid_translate(struct rte_swx_pipeline *p,
 
 	CHECK(n_tokens == 3, EINVAL);
 
-	strcpy(data->jmp_label, tokens[1]);
+	CHECK_STRLCPY(data->jmp_label, tokens[1], EINVAL);
 
 	h = header_parse(p, tokens[2]);
 	CHECK(h, EINVAL);
@@ -5722,7 +5726,7 @@ instr_jmp_invalid_translate(struct rte_swx_pipeline *p,
 
 	CHECK(n_tokens == 3, EINVAL);
 
-	strcpy(data->jmp_label, tokens[1]);
+	CHECK_STRLCPY(data->jmp_label, tokens[1], EINVAL);
 
 	h = header_parse(p, tokens[2]);
 	CHECK(h, EINVAL);
@@ -5744,7 +5748,7 @@ instr_jmp_hit_translate(struct rte_swx_pipeline *p __rte_unused,
 	CHECK(!action, EINVAL);
 	CHECK(n_tokens == 2, EINVAL);
 
-	strcpy(data->jmp_label, tokens[1]);
+	CHECK_STRLCPY(data->jmp_label, tokens[1], EINVAL);
 
 	instr->type = INSTR_JMP_HIT;
 	instr->jmp.ip = NULL; /* Resolved later. */
@@ -5762,7 +5766,7 @@ instr_jmp_miss_translate(struct rte_swx_pipeline *p __rte_unused,
 	CHECK(!action, EINVAL);
 	CHECK(n_tokens == 2, EINVAL);
 
-	strcpy(data->jmp_label, tokens[1]);
+	CHECK_STRLCPY(data->jmp_label, tokens[1], EINVAL);
 
 	instr->type = INSTR_JMP_MISS;
 	instr->jmp.ip = NULL; /* Resolved later. */
@@ -5782,7 +5786,7 @@ instr_jmp_action_hit_translate(struct rte_swx_pipeline *p,
 	CHECK(!action, EINVAL);
 	CHECK(n_tokens == 3, EINVAL);
 
-	strcpy(data->jmp_label, tokens[1]);
+	CHECK_STRLCPY(data->jmp_label, tokens[1], EINVAL);
 
 	a = action_find(p, tokens[2]);
 	CHECK(a, EINVAL);
@@ -5806,7 +5810,7 @@ instr_jmp_action_miss_translate(struct rte_swx_pipeline *p,
 	CHECK(!action, EINVAL);
 	CHECK(n_tokens == 3, EINVAL);
 
-	strcpy(data->jmp_label, tokens[1]);
+	CHECK_STRLCPY(data->jmp_label, tokens[1], EINVAL);
 
 	a = action_find(p, tokens[2]);
 	CHECK(a, EINVAL);
@@ -5832,7 +5836,7 @@ instr_jmp_eq_translate(struct rte_swx_pipeline *p,
 
 	CHECK(n_tokens == 4, EINVAL);
 
-	strcpy(data->jmp_label, tokens[1]);
+	CHECK_STRLCPY(data->jmp_label, tokens[1], EINVAL);
 
 	fa = struct_field_parse(p, action, a, &a_struct_id);
 	CHECK(fa, EINVAL);
@@ -5892,7 +5896,7 @@ instr_jmp_neq_translate(struct rte_swx_pipeline *p,
 
 	CHECK(n_tokens == 4, EINVAL);
 
-	strcpy(data->jmp_label, tokens[1]);
+	CHECK_STRLCPY(data->jmp_label, tokens[1], EINVAL);
 
 	fa = struct_field_parse(p, action, a, &a_struct_id);
 	CHECK(fa, EINVAL);
@@ -5952,7 +5956,7 @@ instr_jmp_lt_translate(struct rte_swx_pipeline *p,
 
 	CHECK(n_tokens == 4, EINVAL);
 
-	strcpy(data->jmp_label, tokens[1]);
+	CHECK_STRLCPY(data->jmp_label, tokens[1], EINVAL);
 
 	fa = struct_field_parse(p, action, a, &a_struct_id);
 	CHECK(fa, EINVAL);
@@ -6012,7 +6016,7 @@ instr_jmp_gt_translate(struct rte_swx_pipeline *p,
 
 	CHECK(n_tokens == 4, EINVAL);
 
-	strcpy(data->jmp_label, tokens[1]);
+	CHECK_STRLCPY(data->jmp_label, tokens[1], EINVAL);
 
 	fa = struct_field_parse(p, action, a, &a_struct_id);
 	CHECK(fa, EINVAL);
@@ -6437,7 +6441,7 @@ instr_translate(struct rte_swx_pipeline *p,
 
 	/* Handle the optional instruction label. */
 	if ((n_tokens >= 2) && !strcmp(tokens[1], ":")) {
-		strcpy(data->label, tokens[0]);
+		CHECK_STRLCPY(data->label, tokens[0], EINVAL);
 
 		tpos += 2;
 		CHECK(n_tokens - tpos, EINVAL);
@@ -8541,7 +8545,7 @@ rte_swx_pipeline_table_config(struct rte_swx_pipeline *p,
 	/* Node initialization. */
 	strcpy(t->name, name);
 	if (args && args[0])
-		strcpy(t->args, args);
+		CHECK_STRLCPY(t->args, args, EINVAL);
 	t->type = type;
 
 	for (i = 0; i < params->n_fields; i++) {
diff --git a/lib/pipeline/rte_swx_pipeline_spec.c b/lib/pipeline/rte_swx_pipeline_spec.c
index 986bbe5..3df191e 100644
--- a/lib/pipeline/rte_swx_pipeline_spec.c
+++ b/lib/pipeline/rte_swx_pipeline_spec.c
@@ -39,6 +39,28 @@
 #define LEARNER_TIMEOUT_BLOCK 10
 #define APPLY_BLOCK 11
 
+static int
+buffer_append_tokens(char *buffer, size_t buffer_size, char **tokens,
+		     uint32_t n_tokens)
+{
+	size_t len = 0;
+	uint32_t i;
+
+	buffer[0] = 0;
+	for (i = 0; i < n_tokens; i++) {
+		int ret;
+
+		ret = snprintf(buffer + len, buffer_size - len, "%s%s",
+			       i ? " " : "", tokens[i]);
+		if ((ret < 0) || ((size_t)ret >= buffer_size - len))
+			return -ENAMETOOLONG;
+
+		len += (size_t)ret;
+	}
+
+	return 0;
+}
+
 /*
  * extobj.
  */
@@ -454,7 +476,6 @@ action_block_parse(struct action_spec *s,
 {
 	char buffer[RTE_SWX_INSTRUCTION_SIZE], *instr;
 	const char **new_instructions;
-	uint32_t i;
 
 	/* Handle end of block. */
 	if ((n_tokens == 1) && !strcmp(tokens[0], "}")) {
@@ -463,12 +484,8 @@ action_block_parse(struct action_spec *s,
 	}
 
 	/* spec. */
-	buffer[0] = 0;
-	for (i = 0; i < n_tokens; i++) {
-		if (i)
-			strcat(buffer, " ");
-		strcat(buffer, tokens[i]);
-	}
+	if (buffer_append_tokens(buffer, sizeof(buffer), tokens, n_tokens))
+		return -ENAMETOOLONG;
 
 	instr = strdup(buffer);
 	if (!instr) {
@@ -2142,7 +2159,6 @@ apply_block_parse(struct apply_spec *s,
 {
 	char buffer[RTE_SWX_INSTRUCTION_SIZE], *instr;
 	const char **new_instructions;
-	uint32_t i;
 
 	/* Handle end of block. */
 	if ((n_tokens == 1) && !strcmp(tokens[0], "}")) {
@@ -2151,12 +2167,8 @@ apply_block_parse(struct apply_spec *s,
 	}
 
 	/* spec. */
-	buffer[0] = 0;
-	for (i = 0; i < n_tokens; i++) {
-		if (i)
-			strcat(buffer, " ");
-		strcat(buffer, tokens[i]);
-	}
+	if (buffer_append_tokens(buffer, sizeof(buffer), tokens, n_tokens))
+		return -ENAMETOOLONG;
 
 	instr = strdup(buffer);
 	if (!instr) {
-- 
2.50.1 (Apple Git-155)
Previous message (by thread): [PATCH v2] net/netvsc: switch data path to synthetic on device stop
Next message (by thread): [PATCH 2/2] net/cpfl: validate fieldvector offsets before copying keys
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
More information about the dev mailing list