[dpdk-dev] [PATCH] bus/pci: fix driver name string manipulation

Andy Green andy at warmcat.com
Tue May 15 12:41:03 CEST 2018

Previous message: [dpdk-dev] [PATCH] bus/pci: fix driver name string manipulation
Next message: [dpdk-dev] [PATCH] bus/pci: fix driver name string manipulation
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]


On 05/15/2018 06:31 PM, Jerin Jacob wrote:
> -----Original Message-----
>> Date: Tue, 15 May 2018 18:19:19 +0800
>> From: Andy Green <andy at warmcat.com>
>> To: Jerin Jacob <jerin.jacob at caviumnetworks.com>, dev at dpdk.org
>> CC: thomas at monjalon.net, ferruh.yigit at intel.com, Pablo de Lara
>>   <pablo.de.lara.guarch at intel.com>
>> Subject: Re: [dpdk-dev] [PATCH] bus/pci: fix driver name string manipulation
>> User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101
>>   Thunderbird/52.7.0
>>
>>
>>
>> On 05/15/2018 06:03 PM, Jerin Jacob wrote:
>>> sizeof(dri_name) is 8B on 64Bit systems.The intended operation is coping
>>> the string after '/' from the string `name`.
>>>
>>> This bug is not letting to probe any device string >8B hence results in
>>> the testpmd error("No ethernet devices found) on some PMDs.
>>
>> You are right... but...
>>
>>> Cc: Andy Green <andy at warmcat.com>
>>> Cc: Pablo de Lara <pablo.de.lara.guarch at intel.com>
>>>
>>> Fixes: fe5f777b538 ("bus/pci: replace strncpy by strlcpy")
>>>
>>> Signed-off-by: Jerin Jacob <jerin.jacob at caviumnetworks.com>
>>> ---
>>>    drivers/bus/pci/linux/pci.c | 2 +-
>>>    1 file changed, 1 insertion(+), 1 deletion(-)
>>>
>>> diff --git a/drivers/bus/pci/linux/pci.c b/drivers/bus/pci/linux/pci.c
>>> index a73ee49c2..cd45875b1 100644
>>> --- a/drivers/bus/pci/linux/pci.c
>>> +++ b/drivers/bus/pci/linux/pci.c
>>> @@ -54,7 +54,7 @@ pci_get_kernel_driver_by_path(const char *filename, char *dri_name)
>>>    	name = strrchr(path, '/');
>>>    	if (name) {
>>> -		strlcpy(dri_name, name + 1, sizeof(dri_name));
>>> +		strlcpy(dri_name, name + 1, strlen(name));
>>
>> ... this fix is no good.  The underlying problem is the length of dri_name
>> is not getting passed into this function... it just doesn't know how much of
>> dri_name is safe to use.  Telling it to use the strlen() of something
>> unrelated is going to make buffer overflows possible.
> 
> In this case, already there is a check for following in the code. So it is fine
> either way.
> 
>          path[count] = '\0';
>          name = strrchr(path, '/');

I understand.  But if any of that code changes, the copy can overrun. 
It's more robust if the copy limit is directly referenced to the 
destination size.

>> I sent a patch to the list a few hours ago that amends this function to take
>> the allocated length of dri_name, and sets the limit for the strlcpy() to
>> that, so no matter what turns up in name it's not possible to blow past
>> dri_name allocation.
>>
>> [dpdk-dev] [PATCH] bus/pci: correct the earlier strlcpy conversion
> 
> I am fine with taking any of the of the patch.  Please improve the patch subject
> and bug description in case if you prefer to take your original patch.

OK.  Or the maintainer is welcome to change the commit title how he 
likes directly.

-Andy

>>
>> -Andy
>>
>>>    		return 0;
>>>    	}
>>>

Previous message: [dpdk-dev] [PATCH] bus/pci: fix driver name string manipulation
Next message: [dpdk-dev] [PATCH] bus/pci: fix driver name string manipulation
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

More information about the dev mailing list