[PATCH v2] cmdline: prevent out-of-bounds read in completion buffer

[Daniil Iskhakov]

tmp_buf is populated by the completion callback and is not guaranteed
to be NUL-terminated.

The code already accounts for this when computing tmp_size with
strnlen(tmp_buf, sizeof(tmp_buf)). However, another loop in the same
path still walks tmp_buf until a NUL byte is found, without checking
the buffer limit.

If the callback writes a full-sized non-NUL-terminated string, the loop
may read past the end of tmp_buf.

Fix this by bounding the iteration with sizeof(tmp_buf).

Found by Linux Verification Center (linuxtesting.org) with SVACE.

Fixes: af75078fece3 ("first public release")
Cc: stable at dpdk.org

Signed-off-by: Daniil Iskhakov <dish at amicon.ru>
---
v2:
- Resent to dev at dpdk.org because v1 was accidentally sent only to
maintainers.

Cc: sdl.dpdk at linuxtesting.org
Cc: rrv at amicon.ru
---
 lib/cmdline/cmdline_rdline.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/lib/cmdline/cmdline_rdline.c b/lib/cmdline/cmdline_rdline.c
index ee070f0af3..bc91dc6002 100644
--- a/lib/cmdline/cmdline_rdline.c
+++ b/lib/cmdline/cmdline_rdline.c
@@ -445,7 +445,7 @@ rdline_char_in(struct rdline *rdl, char c)
 				rdline_puts(rdl, "\r\n");
 				while (ret) {
 					rdl->write_char(rdl, ' ');
-					for (i=0 ; i < sizeof(tmp_buf) && tmp_buf[i]; i++)
+					for (i = 0 ; i < tmp_buf[i]; i++)
 						rdl->write_char(rdl, tmp_buf[i]);
 					rdline_puts(rdl, "\r\n");
 					ret = rdl->complete(rdl, rdl->left_buf,
-- 
2.43.0