[PATCH v2] cmdline: prevent out-of-bounds read in completion buffer

[Konstantin Ananyev]

> tmp_buf is populated by the completion callback and is not guaranteed
> to be NUL-terminated.
> 
> The code already accounts for this when computing tmp_size with
> strnlen(tmp_buf, sizeof(tmp_buf)). However, another loop in the same
> path still walks tmp_buf until a NUL byte is found, without checking
> the buffer limit.
> 
> If the callback writes a full-sized non-NUL-terminated string, the loop
> may read past the end of tmp_buf.
> 
> Fix this by bounding the iteration with sizeof(tmp_buf).
> 
> Found by Linux Verification Center (linuxtesting.org) with SVACE.
> 
> Fixes: af75078fece3 ("first public release")
> Cc: stable at dpdk.org
> 
> Signed-off-by: Daniil Iskhakov <dish at amicon.ru>
> ---
> v2:
> - Resent to dev at dpdk.org because v1 was accidentally sent only to
> maintainers.
> 
> Cc: sdl.dpdk at linuxtesting.org
> Cc: rrv at amicon.ru
> ---
>  lib/cmdline/cmdline_rdline.c | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
> 
> diff --git a/lib/cmdline/cmdline_rdline.c b/lib/cmdline/cmdline_rdline.c
> index ee070f0af3..bc91dc6002 100644
> --- a/lib/cmdline/cmdline_rdline.c
> +++ b/lib/cmdline/cmdline_rdline.c
> @@ -445,7 +445,7 @@ rdline_char_in(struct rdline *rdl, char c)
>  				rdline_puts(rdl, "\r\n");
>  				while (ret) {
>  					rdl->write_char(rdl, ' ');
> -					for (i=0 ; i < sizeof(tmp_buf) &&
> tmp_buf[i]; i++)
> +					for (i = 0 ; i < tmp_buf[i]; i++)

> Fix this by bounding the iteration with sizeof(tmp_buf).
The change doesn't much description, if fact it looks contrary.
Probably patch get screwed somehow?

>  						rdl->write_char(rdl, tmp_buf[i]);
>  					rdline_puts(rdl, "\r\n");
>  					ret = rdl->complete(rdl, rdl->left_buf,
> --
> 2.43.0