From: Yunjian Wang <wangyunj...@huawei.com>

When the input string is "key=[", the ending '\0' is replaced
by a ',', leading to a heap buffer overflow.

Check the content of ctx1 to avoid this problem.

Fixes: cc0579f2339a ("kvargs: support list value")
Cc: sta...@dpdk.org

Signed-off-by: Yunjian Wang <wangyunj...@huawei.com>
Signed-off-by: Olivier Matz <olivier.m...@6wind.com>
---
 app/test/test_kvargs.c         | 1 +
 lib/librte_kvargs/rte_kvargs.c | 2 ++
 2 files changed, 3 insertions(+)

diff --git a/app/test/test_kvargs.c b/app/test/test_kvargs.c
index f823b771f..2a2dae43a 100644
--- a/app/test/test_kvargs.c
+++ b/app/test/test_kvargs.c
@@ -217,6 +217,7 @@ static int test_invalid_kvargs(void)
                "foo=1,=2",        /* no key */
                "foo=[1,2",        /* no closing bracket in value */
                ",=",              /* also test with a smiley */
+               "foo=[",           /* no value in list and no closing bracket */
                NULL };
        const char **args;
        const char *valid_keys_list[] = { "foo", "check", NULL };
diff --git a/lib/librte_kvargs/rte_kvargs.c b/lib/librte_kvargs/rte_kvargs.c
index d39332999..1d815dcd9 100644
--- a/lib/librte_kvargs/rte_kvargs.c
+++ b/lib/librte_kvargs/rte_kvargs.c
@@ -50,6 +50,8 @@ rte_kvargs_tokenize(struct rte_kvargs *kvlist, const char 
*params)
                        /* Find the end of the list. */
                        while (str[strlen(str) - 1] != ']') {
                                /* Restore the comma erased by strtok_r(). */
+                               if (ctx1[0] == '\0')
+                                       return -1; /* no closing bracket */
                                str[strlen(str)] = ',';
                                /* Parse until next comma. */
                                str = strtok_r(NULL, RTE_KVARGS_PAIRS_DELIM, 
&ctx1);
-- 
2.25.1

Reply via email to