From: Yunjian Wang <wangyunj...@huawei.com> When the input string is "key=[", the ending '\0' is replaced by a ',', leading to a heap buffer overflow.
Check the content of ctx1 to avoid this problem. Fixes: cc0579f2339a ("kvargs: support list value") Cc: sta...@dpdk.org Signed-off-by: Yunjian Wang <wangyunj...@huawei.com> Signed-off-by: Olivier Matz <olivier.m...@6wind.com> --- app/test/test_kvargs.c | 1 + lib/librte_kvargs/rte_kvargs.c | 2 ++ 2 files changed, 3 insertions(+) diff --git a/app/test/test_kvargs.c b/app/test/test_kvargs.c index f823b771f..2a2dae43a 100644 --- a/app/test/test_kvargs.c +++ b/app/test/test_kvargs.c @@ -217,6 +217,7 @@ static int test_invalid_kvargs(void) "foo=1,=2", /* no key */ "foo=[1,2", /* no closing bracket in value */ ",=", /* also test with a smiley */ + "foo=[", /* no value in list and no closing bracket */ NULL }; const char **args; const char *valid_keys_list[] = { "foo", "check", NULL }; diff --git a/lib/librte_kvargs/rte_kvargs.c b/lib/librte_kvargs/rte_kvargs.c index d39332999..1d815dcd9 100644 --- a/lib/librte_kvargs/rte_kvargs.c +++ b/lib/librte_kvargs/rte_kvargs.c @@ -50,6 +50,8 @@ rte_kvargs_tokenize(struct rte_kvargs *kvlist, const char *params) /* Find the end of the list. */ while (str[strlen(str) - 1] != ']') { /* Restore the comma erased by strtok_r(). */ + if (ctx1[0] == '\0') + return -1; /* no closing bracket */ str[strlen(str)] = ','; /* Parse until next comma. */ str = strtok_r(NULL, RTE_KVARGS_PAIRS_DELIM, &ctx1); -- 2.25.1