From mboxrd@z Thu Jan  1 00:00:00 1970
From: Olivier MATZ <olivier.matz-pdR9zngts4EAvxtiuMwx3w@public.gmane.org>
Subject: Re: [PATCH] fixed buffer overrun in handling log messages
Date: Thu, 02 May 2013 10:24:17 +0200
Message-ID: <518222B1.9050003@6wind.com>
References: <CAAYH+dX-4W-ZbmVEogRLMdy0KtT7iG249m18S7inp5TNW0j67g@mail.gmail.com>
Mime-Version: 1.0
Content-Type: multipart/mixed; boundary="------------080209020304030004020002"
Cc: dev-VfR2kkLFssw@public.gmane.org
To: "Han, Dongsu" <dongsuh-ETDLCGt7PQU3uPMLIKxrzw@public.gmane.org>
Return-path: <dev-bounces-VfR2kkLFssw@public.gmane.org>
In-Reply-To: <CAAYH+dX-4W-ZbmVEogRLMdy0KtT7iG249m18S7inp5TNW0j67g-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
List-Id: patches and discussions about DPDK <dev.dpdk.org>
List-Unsubscribe: <http://dpdk.org/ml/options/dev>,
 <mailto:dev-request-VfR2kkLFssw@public.gmane.org?subject=unsubscribe>
List-Archive: <http://dpdk.org/ml/archives/dev/>
List-Post: <mailto:dev-VfR2kkLFssw@public.gmane.org>
List-Help: <mailto:dev-request-VfR2kkLFssw@public.gmane.org?subject=help>
List-Subscribe: <http://dpdk.org/ml/listinfo/dev>,
 <mailto:dev-request-VfR2kkLFssw@public.gmane.org?subject=subscribe>
Errors-To: dev-bounces-VfR2kkLFssw@public.gmane.org
Sender: "dev" <dev-bounces-VfR2kkLFssw@public.gmane.org>

This is a multi-part message in MIME format.
--------------080209020304030004020002
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: quoted-printable

Hi,

Thank you for this patch. You are right, the '\0' is written
outside the bounds of the buffer. I would suggest a minor modification
to your patch, please see attachment.

Regards,
Olivier


On 05/01/2013 08:50 PM, Han, Dongsu wrote:
>   I'm sending a proposed patch to fix the buffer overrun problem in
> handling log messages.
>
> Dongsu Han
>
>
> _______________________________________________
> dev mailing list
> dev-VfR2kkLFssw@public.gmane.org
> http://dpdk.org/ml/listinfo/dev


--=20
Olivier MATZ
Tel +33-1-39-30-92-57
www.6wind.com
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D
This e-mail message, including any attachments, is for the sole use of=20
the intended recipient(s) and contains information that is confidential=20
and proprietary to 6WIND. All unauthorized review, use, disclosure or=20
distribution is prohibited. If you are not the intended recipient,=20
please contact the sender by reply e-mail and destroy all copies of the=20
original message.
Ce courriel ainsi que toutes les pi=E8ces jointes, est uniquement destin=E9=
=20
=E0 son ou ses destinataires. Il contient des informations confidentielle=
s=20
qui sont la propri=E9t=E9 de 6WIND. Toute r=E9v=E9lation, distribution ou=
 copie=20
des informations qu'il contient est strictement interdite. Si vous avez=20
re=E7u ce message par erreur, veuillez imm=E9diatement le signaler =E0=20
l'=E9metteur et d=E9truire toutes les donn=E9es re=E7ues
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D

--------------080209020304030004020002
Content-Type: text/x-patch;
 name="0001-eal-log-fix-memory-corruption.patch"
Content-Transfer-Encoding: 7bit
Content-Disposition: attachment;
 filename="0001-eal-log-fix-memory-corruption.patch"

>>From e14f9b05dbc8aca332fa6532382df6a70ff6da25 Mon Sep 17 00:00:00 2001
From: Dongsu Han <dongsuh-ETDLCGt7PQU3uPMLIKxrzw@public.gmane.org>
Date: Thu, 2 May 2013 10:14:58 +0200
Subject: eal/log: fix memory corruption

The '\0' is written outside the bounds of the log buffer, which can
result in memory corruption or display issues with log messages.

Use a new constant LOG_BUF_SIZE to store the effective size of the
buffer in struct log_history.

Acked-by: Olivier Matz <olivier.matz-pdR9zngts4EAvxtiuMwx3w@public.gmane.org>
Signed-off-by: Dongsu Han <dongsuh-ETDLCGt7PQU3uPMLIKxrzw@public.gmane.org>
---
 lib/librte_eal/common/eal_common_log.c |    5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/lib/librte_eal/common/eal_common_log.c b/lib/librte_eal/common/eal_common_log.c
index 1362109..21970c5 100644
--- a/lib/librte_eal/common/eal_common_log.c
+++ b/lib/librte_eal/common/eal_common_log.c
@@ -64,6 +64,7 @@
 #include "eal_private.h"
 
 #define LOG_ELT_SIZE     2048
+#define LOG_BUF_SIZE     (LOG_ELT_SIZE - sizeof(struct log_history))
 
 #define LOG_HISTORY_MP_NAME "log_history"
 
@@ -196,7 +197,7 @@ rte_log_add_in_history(const char *buf, size_t size)
 	}
 
 	/* not enough room for msg, buffer go back in mempool */
-	if (size >= (LOG_ELT_SIZE - sizeof(*hist_buf))) {
+	if (size >= LOG_BUF_SIZE) {
 		rte_mempool_mp_put(log_history_mp, hist_buf);
 		rte_spinlock_unlock(&log_list_lock);
 		return -ENOBUFS;
@@ -204,7 +205,7 @@ rte_log_add_in_history(const char *buf, size_t size)
 
 	/* add in history */
 	memcpy(hist_buf->buf, buf, size);
-	hist_buf->buf[LOG_ELT_SIZE-1] = '\0';
+	hist_buf->buf[LOG_BUF_SIZE-1] = '\0';
 	hist_buf->size = size;
 	STAILQ_INSERT_TAIL(&log_history, hist_buf, next);
 	rte_spinlock_unlock(&log_list_lock);
-- 
1.7.10.4


--------------080209020304030004020002
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline

_______________________________________________
dev mailing list
dev-VfR2kkLFssw@public.gmane.org
http://dpdk.org/ml/listinfo/dev

--------------080209020304030004020002--