|WARNING| net/intel: fix use of non-recommended string functions
dpdklab at iol.unh.edu
dpdklab at iol.unh.edu
Tue Jun 23 17:22:58 CEST 2026
Test-Label: ai-code-review
Test-Status: WARNING
https://dpdk.org/patch/165995
_AI Code Review_
=== Patch Review: series.patch (via Claude) ===
Review date: 2026-06-23
# DPDK Patch Review
## Summary
This patch replaces unsafe string functions (`strncpy`, `strcpy`, `strcat`) with safer alternatives (`strlcpy`, `strlcat`). The changes are mostly correct, but there are several issues to address.
---
## Errors
### 1. `strlcat` on uninitialized buffer (ice_ethdev.c)
**File:** `drivers/net/intel/ice/ice_ethdev.c`
**Lines:** 2057-2058, 2061-2062
The code uses `strlcat` to append to `pkg_file` after `strlcpy`, but `pkg_file` is a local variable that may contain uninitialized data beyond the null terminator written by `strlcpy`. While `strlcat` will work correctly (it scans for the null terminator), the buffer should be zero-initialized for clarity and to avoid undefined behavior if the buffer size checks fail.
```c
/* Current code */
strlcpy(pkg_file, ICE_PKG_FILE_SEARCH_PATH_UPDATES, ICE_MAX_PKG_FILENAME_SIZE);
strlcat(pkg_file, opt_ddp_filename, ICE_MAX_PKG_FILENAME_SIZE);
```
**Issue:** If `strlcpy` truncates (returns >= `ICE_MAX_PKG_FILENAME_SIZE`), the subsequent `strlcat` operates on a truncated path, silently producing a wrong filename. Neither call checks the return value.
**Suggested fix:**
```c
char pkg_file[ICE_MAX_PKG_FILENAME_SIZE] = {0};
size_t len;
len = strlcpy(pkg_file, ICE_PKG_FILE_SEARCH_PATH_UPDATES, sizeof(pkg_file));
if (len >= sizeof(pkg_file)) {
PMD_INIT_LOG(ERR, "Package path too long");
return -1;
}
len = strlcat(pkg_file, opt_ddp_filename, sizeof(pkg_file));
if (len >= sizeof(pkg_file)) {
PMD_INIT_LOG(ERR, "Package filename too long");
return -1;
}
```
**Same issue at lines 2061-2062, 2057-2058, and 2061-2062.** All four `strlcpy`+`strlcat` sequences need the same fix.
---
## Warnings
### 1. Missing return value checks on `strlcpy` (multiple files)
**Files:** `cpfl_ethdev.c`, `cpfl_flow_parser.c`, `i40e_ethdev.c`, `idpf_ethdev.c`, `ice_ethdev.c`
`strlcpy` returns the length of the source string. If the return value is >= the destination size, truncation occurred. While truncation may be acceptable in some contexts (e.g., logging), the code should verify that critical paths do not silently truncate identifiers or configuration strings.
**Examples:**
- `cpfl_ethdev.c:2537`: Device name truncation could cause confusion in logs or multi-device setups
- `cpfl_flow_parser.c:214, 719, 744, 812, 858, 1808`: Field name truncation could break flow rule matching
- `ice_ethdev.c:1900`: Driver version string truncation (less critical, but should be verified)
- `idpf_ethdev.c:1500`: Device name truncation
**Suggested approach:**
For critical paths (device names, flow rule field names), add a check:
```c
if (strlcpy(dst, src, sizeof(dst)) >= sizeof(dst)) {
PMD_DRV_LOG(ERR, "String truncation: %s", src);
return -EINVAL; /* or goto err */
}
```
For non-critical paths (version strings, logging), the current code is acceptable but a comment explaining truncation is intentional would be helpful.
### 2. Redundant bounds check before `strlcpy`
**File:** `drivers/net/intel/cpfl/cpfl_flow_parser.c`
**Lines:** 209-211, 714-716, 739-741, 807-809, 853-855
The code checks `strlen(name) >= CPFL_JS_STR_SIZE` before calling `strlcpy`. This check is redundant because `strlcpy` already handles this case by truncating and null-terminating. However, the current code returns an error on truncation, which is the safer behavior for field names that must match exactly.
**Current pattern:**
```c
if (strlen(name) >= CPFL_JS_STR_SIZE) {
PMD_DRV_LOG(ERR, "The 'name' is too long.");
goto err;
}
strlcpy(js_field->fields[i].name, name, CPFL_JS_STR_SIZE);
```
**This is actually correct.** The pre-check enforces exact match requirements. However, the pattern could be simplified by checking `strlcpy`'s return value instead:
```c
if (strlcpy(js_field->fields[i].name, name, CPFL_JS_STR_SIZE) >= CPFL_JS_STR_SIZE) {
PMD_DRV_LOG(ERR, "The 'name' is too long: %s", name);
goto err;
}
```
This is a **suggestion**, not a required change. The current code is correct.
### 3. Style: sizeof(array) vs constant
**Files:** `cpfl_flow_parser.c`, `ice_ethdev.c`
Some calls use `CPFL_JS_STR_SIZE` (the defined constant) while others could use `sizeof(destination)` for consistency with the rest of the patch. This is a minor style inconsistency.
**Example:**
```c
/* Current */
strlcpy(js_field->fields[i].name, name, CPFL_JS_STR_SIZE);
/* Alternative (more consistent with other changes in this patch) */
strlcpy(js_field->fields[i].name, name, sizeof(js_field->fields[i].name));
```
**This is acceptable either way.** Using the constant is fine if `CPFL_JS_STR_SIZE` matches the actual array size. No change required.
---
## Info
### 1. Removed `memset` before `strlcpy` (i40e_ethdev.c)
**File:** `drivers/net/intel/i40e/i40e_ethdev.c`
**Line:** 11919
The patch removes `memset(name, 0, sizeof(name));` before `strlcpy`. This is correct because `strlcpy` null-terminates the destination, making the `memset` unnecessary. Good cleanup.
### 2. `strcpy` to `strlcpy` with `sizeof` destination (e1000, ixgbe)
**Files:** `e1000/igb_ethdev.c:2050-2052`, `ixgbe/ixgbe_ethdev.c:3638-3640`
The patch correctly changes `strcpy` to `strlcpy` and adds the destination size. The `sizeof(xstats_names[i].name)` argument is correct (it's an array member of a struct, not a pointer).
---
## Positive Observations
1. **Consistent pattern**: The patch uniformly replaces unsafe functions throughout the Intel driver subsystem
2. **Correct `sizeof` usage**: All changes use `sizeof(destination)` correctly, not `sizeof(pointer)`
3. **Maintains functionality**: No behavioral changes except improved safety
4. **Appropriate use of `strlcat`**: The `strcat` - `strlcat` changes are correct (ice_ethdev.c)
---
## Recommendations
1. **Critical (Error):** Add return value checks and error handling for the `strlcpy`+`strlcat` sequences in `ice_ethdev.c` (lines 2057-2062). Truncation here would cause incorrect file paths.
2. **Important (Warning):** Consider adding return value checks for `strlcpy` on device names (`cpfl_ethdev.c:2537`, `idpf_ethdev.c:1500`) and flow parser field names (`cpfl_flow_parser.c`). Truncation could cause subtle bugs.
3. **Optional (Info):** The patch is otherwise correct and ready after addressing the `strlcat` error handling.
---
## Severity Summary
- **Errors:** 1 (missing error handling for `strlcat` on potentially truncated paths)
- **Warnings:** 2 (missing return value checks in critical paths)
- **Info:** 2 (positive observations)
The patch is a valuable improvement to code safety. The primary concern is ensuring path construction in `ice_load_pkg` cannot silently produce wrong filenames.
More information about the test-report
mailing list