On 3/17/2021 8:21 AM, Wei Huang wrote:
In write_flash_image(), calling function "read" may taints variable
"buf" which turn to an untrusted value as argument of "rte_free".
Coverity issue: 367477
Fixes: 7a4f3993f269 ("raw/ifpga: add FPGA RSU APIs")
Hi Huang, Rosen,
I checked the coverity issue but still not clear about the problem. What does
'read' taints 'buf' mean?
The 'buf' passed as an argument to read, so all 'read' can do is change the
memory that 'buf' points, so why it should affect the 'free' at all?
If the memory is overflow etc, your change is just hiding the error not fixing
it.
And the error message mentions from 'rte_free', not 'free', not sure how
'rte_free' is involved in the problem, any idea?
Signed-off-by: Wei Huang <wei.hu...@intel.com>
---
drivers/raw/ifpga/base/ifpga_fme_rsu.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/drivers/raw/ifpga/base/ifpga_fme_rsu.c
b/drivers/raw/ifpga/base/ifpga_fme_rsu.c
index 28198abd78..d32f1eccb1 100644
--- a/drivers/raw/ifpga/base/ifpga_fme_rsu.c
+++ b/drivers/raw/ifpga/base/ifpga_fme_rsu.c
@@ -92,6 +92,7 @@ static int write_flash_image(struct ifpga_sec_mgr *smgr,
const char *image,
uint32_t offset)
{
void *buf = NULL;
+ void *buf_to_free = NULL;
int retry = 0;
uint32_t length = 0;
uint32_t to_transfer = 0;
@@ -122,6 +123,7 @@ static int write_flash_image(struct ifpga_sec_mgr *smgr,
const char *image,
close(fd);
return -ENOMEM;
}
+ buf_to_free = buf;
length = smgr->rsu_length;
one_percent = length / 100;
@@ -177,7 +179,7 @@ static int write_flash_image(struct ifpga_sec_mgr *smgr,
const char *image,
printf("\n");
end:
- free(buf);
+ free(buf_to_free);
close(fd);
return ret;
}
