In rte_fpga_do_pr, calling function read() may taints argument buffer
which turn to an untrusted value as argumen of rte_free().
Signed-off-by: Wei Huang <wei.hu...@intel.com>
---
drivers/raw/ifpga/ifpga_rawdev.c | 7 ++++---
1 file changed, 4 insertions(+), 3 deletions(-)
diff --git a/drivers/raw/ifpga/ifpga_rawdev.c b/drivers/raw/ifpga/ifpga_rawdev.c
index bf0613e..357f07b 100644
--- a/drivers/raw/ifpga/ifpga_rawdev.c
+++ b/drivers/raw/ifpga/ifpga_rawdev.c
@@ -786,7 +786,7 @@ rte_fpga_do_pr(struct rte_rawdev *rawdev, int port_id,
int file_fd;
int ret = 0;
ssize_t buffer_size;
- void *buffer;
+ void *buffer, *buf_to_free;
u64 pr_error;
if (!file_name)
@@ -818,6 +818,7 @@ rte_fpga_do_pr(struct rte_rawdev *rawdev, int port_id,
ret = -ENOMEM;
goto close_fd;
}
+ buf_to_free = buffer;
/*read the raw data*/
if (buffer_size != read(file_fd, (void *)buffer, buffer_size)) {
@@ -835,8 +836,8 @@ rte_fpga_do_pr(struct rte_rawdev *rawdev, int port_id,
}
free_buffer:
- if (buffer)
- rte_free(buffer);
+ if (buf_to_free)
+ rte_free(buf_to_free);
close_fd:
close(file_fd);
file_fd = 0;
--
2.7.3
