patch 'cmdline: harden parser result buffer handling' has been queued to stable release 24.11.7

luca.boccassi at gmail.com luca.boccassi at gmail.com
Thu Jun 11 15:19:14 CEST 2026

Previous message (by thread): patch 'cfgfile: prevent overflow on resize' has been queued to stable release 24.11.7
Next message (by thread): patch 'cmdline: guard zero-size destination buffers' has been queued to stable release 24.11.7
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Hi,

FYI, your patch has been queued to stable release 24.11.7

Note it hasn't been pushed to http://dpdk.org/browse/dpdk-stable yet.
It will be pushed if I get no objections before 06/13/26. So please
shout if anyone has objections.

Also note that after the patch there's a diff of the upstream commit vs the
patch applied to the branch. This will indicate if there was any rebasing
needed to apply to the stable branch. If there were code changes for rebasing
(ie: not only metadata diffs), please double check that the rebase was
correctly done.

Queued patches are on a temporary branch at:
https://github.com/bluca/dpdk-stable

This queued commit can be viewed at:
https://github.com/bluca/dpdk-stable/commit/14fa09241760271b162ab68ee23ffb410f19c81b

Thanks.

Luca Boccassi

---
>From 14fa09241760271b162ab68ee23ffb410f19c81b Mon Sep 17 00:00:00 2001
From: Bruce Richardson <bruce.richardson at intel.com>
Date: Thu, 7 May 2026 15:59:46 +0100
Subject: [PATCH] cmdline: harden parser result buffer handling

[ upstream commit 0d89b5f60778d4a5e22076c9487d33fb81f4e44b ]

The cmdline parser had a few result-buffer safety gaps.

In boolean token parsing, the parser could write through a NULL output
pointer in parse-only paths (for example completion/match checks).  Add
proper output-pointer and output-size checks before storing the parsed
value.

In instruction matching, reject token offsets that are equal to the
result buffer size, not only greater than it, so tokens are never parsed
with a zero-sized output window at the end of the buffer.

In completion formatting, handle truncated strlcpy() output before
appending help text, preventing offset/size misuse when the destination
buffer is small.

Fixes: 985465997b73 ("ethdev: add xstats API to enable/disable counter")
Fixes: af75078fece3 ("first public release")

Signed-off-by: Bruce Richardson <bruce.richardson at intel.com>
---
 lib/cmdline/cmdline_parse.c | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/lib/cmdline/cmdline_parse.c b/lib/cmdline/cmdline_parse.c
index 76a212d001..1035e084fa 100644
--- a/lib/cmdline/cmdline_parse.c
+++ b/lib/cmdline/cmdline_parse.c
@@ -131,7 +131,7 @@ match_inst(cmdline_parse_inst_t *inst, const char *buf,
 		} else {
 			unsigned rb_sz;
 
-			if (token_hdr.offset > resbuf_size) {
+			if (token_hdr.offset >= resbuf_size) {
 				printf("Parse error(%s:%d): Token offset(%u) "
 					"exceeds maximum size(%u)\n",
 					__FILE__, __LINE__,
@@ -514,7 +514,9 @@ cmdline_complete(struct cmdline *cl, const char *buf, int *state,
 				}
 				(*state)++;
 				l=strlcpy(dst, tmpbuf, size);
-				if (l>=0 && token_hdr.ops->get_help) {
+				if ((unsigned int)l >= size)
+					return 1;
+				if (token_hdr.ops->get_help) {
 					token_hdr.ops->get_help(token_p, tmpbuf,
 								sizeof(tmpbuf));
 					help_str = inst->help_str;
-- 
2.47.3

---
  Diff of the applied patch vs upstream commit (please double-check if non-empty:
---
--- -	2026-06-11 14:20:01.591875851 +0100
+++ 0005-cmdline-harden-parser-result-buffer-handling.patch	2026-06-11 14:20:01.166744816 +0100
@@ -1 +1 @@
-From 0d89b5f60778d4a5e22076c9487d33fb81f4e44b Mon Sep 17 00:00:00 2001
+From 14fa09241760271b162ab68ee23ffb410f19c81b Mon Sep 17 00:00:00 2001
@@ -5,0 +6,2 @@
+[ upstream commit 0d89b5f60778d4a5e22076c9487d33fb81f4e44b ]
+
@@ -23 +24,0 @@
-Cc: stable at dpdk.org
@@ -27,3 +28,2 @@
- lib/cmdline/cmdline_parse.c      |  6 ++++--
- lib/cmdline/cmdline_parse_bool.c | 19 ++++++++++++++++---
- 2 files changed, 20 insertions(+), 5 deletions(-)
+ lib/cmdline/cmdline_parse.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
@@ -32 +32 @@
-index 201fddb8c3..d55c8db19d 100644
+index 76a212d001..1035e084fa 100644
@@ -35 +35 @@
-@@ -133,7 +133,7 @@ match_inst(cmdline_parse_inst_t *inst, const char *buf,
+@@ -131,7 +131,7 @@ match_inst(cmdline_parse_inst_t *inst, const char *buf,
@@ -44 +44 @@
-@@ -519,7 +519,9 @@ cmdline_complete(struct cmdline *cl, const char *buf, int *state,
+@@ -514,7 +514,9 @@ cmdline_complete(struct cmdline *cl, const char *buf, int *state,
@@ -55,38 +54,0 @@
-diff --git a/lib/cmdline/cmdline_parse_bool.c b/lib/cmdline/cmdline_parse_bool.c
-index e03cc3d545..a3f7adab58 100644
---- a/lib/cmdline/cmdline_parse_bool.c
-+++ b/lib/cmdline/cmdline_parse_bool.c
-@@ -35,17 +35,30 @@ static cmdline_parse_token_string_t cmd_parse_token_bool = {
- /* parse string to bool */
- int
- cmdline_parse_bool(__rte_unused cmdline_parse_token_hdr_t *tk, const char *srcbuf, void *res,
--	__rte_unused unsigned int ressize)
-+	unsigned int ressize)
- {
- 	cmdline_fixed_string_t on_off = {0};
-+	uint8_t val;
-+
-+	if (!srcbuf || !*srcbuf)
-+		return -1;
-+
-+	if (res != NULL && ressize < sizeof(uint8_t))
-+		return -1;
-+
- 	if (cmdline_token_string_ops.parse
- 			(&cmd_parse_token_bool.hdr, srcbuf, on_off, sizeof(on_off)) < 0)
- 		return -1;
- 
- 	if (strcmp((char *)on_off, "on") == 0)
--		*(uint8_t *)res = 1;
-+		val = 1;
- 	else if (strcmp((char *)on_off, "off") == 0)
--		*(uint8_t *)res = 0;
-+		val = 0;
-+	else
-+		return -1;
-+
-+	if (res != NULL)
-+		*(uint8_t *)res = val;
- 
- 	return strlen(on_off);
- }

Previous message (by thread): patch 'cfgfile: prevent overflow on resize' has been queued to stable release 24.11.7
Next message (by thread): patch 'cmdline: guard zero-size destination buffers' has been queued to stable release 24.11.7
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

More information about the stable mailing list