From: Yunjian Wang <wangyunj...@huawei.com>
When the input string is "key=[", the ending '\0' is replaced
by a ',', leading to a heap buffer overflow.
Check the content of ctx1 to avoid this problem.
Fixes: cc0579f2339a ("kvargs: support list value")
Cc: sta...@dpdk.org
Signed-off-by: Yunjian Wang <wangyunj...@huawei.com>
Signed-off-by: Olivier Matz <olivier.m...@6wind.com>
---
app/test/test_kvargs.c | 1 +
lib/librte_kvargs/rte_kvargs.c | 2 ++
2 files changed, 3 insertions(+)
diff --git a/app/test/test_kvargs.c b/app/test/test_kvargs.c
index f823b771f..2a2dae43a 100644
--- a/app/test/test_kvargs.c
+++ b/app/test/test_kvargs.c
@@ -217,6 +217,7 @@ static int test_invalid_kvargs(void)
"foo=1,=2", /* no key */
"foo=[1,2", /* no closing bracket in value */
",=", /* also test with a smiley */
+ "foo=[", /* no value in list and no closing bracket */
NULL };
const char **args;
const char *valid_keys_list[] = { "foo", "check", NULL };
diff --git a/lib/librte_kvargs/rte_kvargs.c b/lib/librte_kvargs/rte_kvargs.c
index d39332999..1d815dcd9 100644
--- a/lib/librte_kvargs/rte_kvargs.c
+++ b/lib/librte_kvargs/rte_kvargs.c
@@ -50,6 +50,8 @@ rte_kvargs_tokenize(struct rte_kvargs *kvlist, const char
*params)
/* Find the end of the list. */
while (str[strlen(str) - 1] != ']') {
/* Restore the comma erased by strtok_r(). */
+ if (ctx1[0] == '\0')
+ return -1; /* no closing bracket */
str[strlen(str)] = ',';
/* Parse until next comma. */
str = strtok_r(NULL, RTE_KVARGS_PAIRS_DELIM,
&ctx1);
--
2.25.1
