eal/linux: fix illegal memory access in uevent handler

[ upstream commit 1a287fc ] 'recv()' fills the 'buf', later 'strlcpy()' used to copy from this buffer. But as coverity warns 'recv()' doesn't guarantee that 'buf' is null-terminated, but 'strlcpy()' requires it. Enlarge 'buf' size to 'EAL_UEV_MSG_LEN + 1' and ensure the last one can be set to 0 when received buffer size is EAL_UEV_MSG_LEN. CID 375864: Memory - illegal accesses (STRING_NULL) Passing unterminated string "buf" to "dev_uev_parse", which expects a null-terminated string. Coverity issue: 375864 Fixes: 0d0f478 ("eal/linux: add uevent parse and process") Signed-off-by: Steve Yang <stevex.yang@intel.com> Acked-by: Ferruh Yigit <ferruh.yigit@intel.com>
bluca · Feb 28, 2022 · 3cb6888 · 3cb6888
1 parent 240dc51
commit 3cb6888
Showing 1 changed file with 2 additions and 2 deletions.
diff --git a/lib/librte_eal/linux/eal_dev.c b/lib/librte_eal/linux/eal_dev.c
@@ -226,13 +226,13 @@ dev_uev_handler(__rte_unused void *param)
 {
 	struct rte_dev_event uevent;
 	int ret;
-	char buf[EAL_UEV_MSG_LEN];
+	char buf[EAL_UEV_MSG_LEN + 1];
 	struct rte_bus *bus;
 	struct rte_device *dev;
 	const char *busname = "";
 
 	memset(&uevent, 0, sizeof(struct rte_dev_event));
-	memset(buf, 0, EAL_UEV_MSG_LEN);
+	memset(buf, 0, EAL_UEV_MSG_LEN + 1);
 
 	ret = recv(intr_handle.fd, buf, EAL_UEV_MSG_LEN, MSG_DONTWAIT);
 	if (ret < 0 && errno == EAGAIN)