[PATCH 3/6] cmdline: harden parser result buffer handling

[Bruce Richardson <bruce.richardson@intel.com>]

The cmdline parser had a few result-buffer safety gaps.

In boolean token parsing, the parser could write through a NULL output
pointer in parse-only paths (for example completion/match checks).  Add
proper output-pointer and output-size checks before storing the parsed
value.

In instruction matching, reject token offsets that are equal to the
result buffer size, not only greater than it, so tokens are never parsed
with a zero-sized output window at the end of the buffer.

In completion formatting, handle truncated strlcpy() output before
appending help text, preventing offset/size misuse when the destination
buffer is small.

Fixes: 985465997b73 ("ethdev: add xstats API to enable/disable counter")
Fixes: af75078fece3 ("first public release")
Cc: stable@dpdk.org

Signed-off-by: Bruce Richardson <bruce.richardson@intel.com>
---
Note: the first fixes line, though strange, is valid. The cmdline
library bool handling was added as part of the ethdev commit.
---
 lib/cmdline/cmdline_parse.c      |  6 ++++--
 lib/cmdline/cmdline_parse_bool.c | 19 ++++++++++++++++---
 2 files changed, 20 insertions(+), 5 deletions(-)

diff --git a/lib/cmdline/cmdline_parse.c b/lib/cmdline/cmdline_parse.c
index 201fddb8c3..d55c8db19d 100644
--- a/lib/cmdline/cmdline_parse.c
+++ b/lib/cmdline/cmdline_parse.c
@@ -133,7 +133,7 @@ match_inst(cmdline_parse_inst_t *inst, const char *buf,
 		} else {
 			unsigned rb_sz;
 
-			if (token_hdr.offset > resbuf_size) {
+			if (token_hdr.offset >= resbuf_size) {
 				printf("Parse error(%s:%d): Token offset(%u) "
 					"exceeds maximum size(%u)\n",
 					__FILE__, __LINE__,
@@ -519,7 +519,9 @@ cmdline_complete(struct cmdline *cl, const char *buf, int *state,
 				}
 				(*state)++;
 				l=strlcpy(dst, tmpbuf, size);
-				if (l>=0 && token_hdr.ops->get_help) {
+				if ((unsigned int)l >= size)
+					return 1;
+				if (token_hdr.ops->get_help) {
 					token_hdr.ops->get_help(token_p, tmpbuf,
 								sizeof(tmpbuf));
 					help_str = inst->help_str;
diff --git a/lib/cmdline/cmdline_parse_bool.c b/lib/cmdline/cmdline_parse_bool.c
index e03cc3d545..a3f7adab58 100644
--- a/lib/cmdline/cmdline_parse_bool.c
+++ b/lib/cmdline/cmdline_parse_bool.c
@@ -35,17 +35,30 @@ static cmdline_parse_token_string_t cmd_parse_token_bool = {
 /* parse string to bool */
 int
 cmdline_parse_bool(__rte_unused cmdline_parse_token_hdr_t *tk, const char *srcbuf, void *res,
-	__rte_unused unsigned int ressize)
+	unsigned int ressize)
 {
 	cmdline_fixed_string_t on_off = {0};
+	uint8_t val;
+
+	if (!srcbuf || !*srcbuf)
+		return -1;
+
+	if (res != NULL && ressize < sizeof(uint8_t))
+		return -1;
+
 	if (cmdline_token_string_ops.parse
 			(&cmd_parse_token_bool.hdr, srcbuf, on_off, sizeof(on_off)) < 0)
 		return -1;
 
 	if (strcmp((char *)on_off, "on") == 0)
-		*(uint8_t *)res = 1;
+		val = 1;
 	else if (strcmp((char *)on_off, "off") == 0)
-		*(uint8_t *)res = 0;
+		val = 0;
+	else
+		return -1;
+
+	if (res != NULL)
+		*(uint8_t *)res = val;
 
 	return strlen(on_off);
 }
-- 
2.51.0