From 6d7b6905842f80fa18a400be01cc2e44e8847b49 Mon Sep 17 00:00:00 2001 From: Krzysztof Karas Date: Tue, 14 Mar 2023 14:16:40 +0100 Subject: [PATCH] bdevperf: avoid writing outside "out" array boundary Currently variables "i" and "k" in config_filename_next() function may increase at the same speed. When repeating "for" loop at line 1862 both "i" and "k" are being incremented: + i by the for loop, + k by the "out[k++]" instruction. This means that there may be a case, where for loop ends with "i < BDEVPERF_CONFIG_MAX_FILENAME" condition, as value of "i" is equal to BDEVPERF_CONFIG_MAX_FILENAME, and at the same time value of "k" is also equal to BDEVPERF_CONFIG_MAX_FILENAME, because after writing to out[BDEVPERF_CONFIG_MAX_FILENAME - 1] element, we increment it one last time. This results in writing "0" value at line 1873 to memory outside "out" array boundary. To amend this problem, compare k against BDEVPERF_CONFIG_MAX_FILENAME, insted of i. Change-Id: Ia45778c1f267d2b9dcd676cd9b6c662d09f6f94e Signed-off-by: Krzysztof Karas Reviewed-on: https://review.spdk.io/gerrit/c/spdk/spdk/+/17176 Reviewed-by: Jim Harris Reviewed-by: Shuhei Matsumoto Tested-by: SPDK CI Jenkins --- examples/bdev/bdevperf/bdevperf.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/examples/bdev/bdevperf/bdevperf.c b/examples/bdev/bdevperf/bdevperf.c index 0f916f5a6..143426599 100644 --- a/examples/bdev/bdevperf/bdevperf.c +++ b/examples/bdev/bdevperf/bdevperf.c @@ -1865,7 +1865,7 @@ config_filename_next(const char *filename, char *out) for (i = 0, k = 0; filename[i] != '\0' && filename[i] != ':' && - i < BDEVPERF_CONFIG_MAX_FILENAME; + k < BDEVPERF_CONFIG_MAX_FILENAME; i++) { if (filename[i] == ' ' || filename[i] == '\t') { continue;