Re: [dpdk-dev] [PATCH v2] lib/cfgfile: replace strcat with strlcat

Fri, 05 Apr 2019 05:54:20 -0700 

27/03/2019 12:37, Ferruh Yigit:
> On 3/26/2019 10:04 AM, Chaitanya Babu, TalluriX wrote:
> > From: Yigit, Ferruh
> >> On 3/8/2019 2:02 PM, Bruce Richardson wrote:
> >>> On Fri, Mar 08, 2019 at 12:45:50PM +0000, Chaitanya Babu Talluri wrote:
> >>>> Replace strcat with strlcat to avoid buffer overflow.
> >>>>
> >>>> Fixes: a6a47ac9c2 ("cfgfile: rework load function")
> >>>> Cc: sta...@dpdk.org
> >>>>
> >>>> Signed-off-by: Chaitanya Babu Talluri
> >>>> <tallurix.chaitanya.b...@intel.com>
> >>>> ---
> >>>> @@ -224,10 +225,11 @@ rte_cfgfile_load_with_params(const char
> >> *filename, int flags,
> >>>>                          _strip(split[1], strlen(split[1]));
> >>>>                          char *end = memchr(split[1], '\\', 
> >>>> strlen(split[1]));
> >>>>
> >>>> +                        size_t split_len = strlen(split[1]) + 1;
> >>>>                          while (end != NULL) {
> >>>>                                  if (*(end+1) == 
> >>>> params->comment_character)
> >> {
> >>>>                                          *end = '\0';
> >>>> -                                        strcat(split[1], end+1);
> >>>> +                                        strlcat(split[1], end+1, 
> >>>> split_len);
> >>>
> >>> I don't think this will do what you want. Remember that strlcat takes
> >>> the total length of the buffer, which means that if split_len is set
> >>> to the current length (as you do before the while statement), then
> >>> passing that as the length parameter will cause strlcat to do nothing,
> >>> since it sees the buffer as already full.
> >>
> >> The logic doesn't lengthen the 'split[1]' content, indeed it reduces the 
> >> initial
> >> size although it uses string concatenation, that is why it should be OK to 
> >> use
> >> 'split_len' here.
> >>
> >> What code does is, it finds specific char in 'split' buffer and removes it 
> >> by
> >> shifting remaining chars one byte to the left. So it shouldn't pass the 
> >> initial size
> >> of the buffer.
> >>
> >> There is a overlapping strings concern, which 'strcat' & 'strlcat' don't 
> >> support,
> >> but I guess it is OK here since we are sure that strings are separated by a
> >> NULL, so where a char read and written should be different although overall
> >> dst and src buffers overlap.
> > 
> > Yes, although the same string is manipulated the split string (*end = '\0') 
> > is separated with NULL.
> > Strlcat works fine here and expected concatenation  is happening.
> > If there are no further comments request for ACK please.
> 
> Acked-by: Ferruh Yigit <ferruh.yi...@intel.com>

Applied, thanks

Reply via email to