[PATCH v3] cmdline: prevent out-of-bounds read in completion buffer

Thomas Monjalon thomas at monjalon.net
Wed Jun 10 14:28:14 CEST 2026

Previous message (by thread): [PATCH v2 0/2] ethdev: fix out-of-bounds writes in rte_flow_conv()
Next message (by thread): [RFC v4 0/3] lib/fastmem: fast small-object allocator
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

30/04/2026 19:01, Daniil Iskhakov:
> tmp_buf is populated by the completion callback and is not guaranteed
> to be NUL-terminated.
> 
> The code already accounts for this when computing tmp_size with
> strnlen(tmp_buf, sizeof(tmp_buf)). However, another loop in the same
> path still walks tmp_buf until a NUL byte is found, without checking
> the buffer limit.
> 
> If the callback writes a full-sized non-NUL-terminated string, the loop
> may read past the end of tmp_buf.
> 
> Fix this by computing a bounded length for each completion choice before
> printing it.
> 
> Found by Linux Verification Center (linuxtesting.org) with SVACE.
> 
> Fixes: af75078fece3 ("first public release")
> Cc: stable at dpdk.org
> 
> Signed-off-by: Daniil Iskhakov <dish at amicon.ru>

Applied, thanks.

Previous message (by thread): [PATCH v2 0/2] ethdev: fix out-of-bounds writes in rte_flow_conv()
Next message (by thread): [RFC v4 0/3] lib/fastmem: fast small-object allocator
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

More information about the dev mailing list