ivampiresp/Spdk
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

bdevperf: avoid writing outside "out" array boundary

Browse Source 
Currently variables "i" and "k" in config_filename_next()
function may increase at the same speed. When repeating
"for" loop at line 1862 both "i" and "k" are being incremented:
 + i by the for loop,
 + k by the "out[k++]" instruction.
This means that there may be a case, where for loop ends with
"i < BDEVPERF_CONFIG_MAX_FILENAME" condition, as value of "i"
is equal to BDEVPERF_CONFIG_MAX_FILENAME, and at the same time
value of "k" is also equal to BDEVPERF_CONFIG_MAX_FILENAME,
because after writing to out[BDEVPERF_CONFIG_MAX_FILENAME - 1]
element, we increment it one last time.
This results in writing "0" value at line 1873 to memory outside
"out" array boundary.
To amend this problem, compare k against
BDEVPERF_CONFIG_MAX_FILENAME, insted of i.

Change-Id: Ia45778c1f267d2b9dcd676cd9b6c662d09f6f94e
Signed-off-by: Krzysztof Karas <krzysztof.karas@intel.com>
Reviewed-on: https://review.spdk.io/gerrit/c/spdk/spdk/+/17176
Reviewed-by: Jim Harris <james.r.harris@intel.com>
Reviewed-by: Shuhei Matsumoto <smatsumoto@nvidia.com>
Tested-by: SPDK CI Jenkins <sys_sgci@intel.com>
This commit is contained in:
Krzysztof Karas 2023-03-14 14:16:40 +01:00 committed by David Ko
parent 182ed72f35
commit 0c4c32a928
1 changed files with 1 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
examples/bdev/bdevperf/bdevperf.c
View File

@ -1865,7 +1865,7 @@ config_filename_next(const char *filename, char *out)
for (i = 0, k = 0; for (i = 0, k = 0;
filename[i] != '\0' && filename[i] != '\0' &&
filename[i] != ':' && filename[i] != ':' &&
i < BDEVPERF_CONFIG_MAX_FILENAME; k < BDEVPERF_CONFIG_MAX_FILENAME;
i++) { i++) {
if (filename[i] == ' ' || filename[i] == '\t') { if (filename[i] == ' ' || filename[i] == '\t') {
continue; continue;