diff mbox series

[iproute2,v3,1/2] bpf: Fix segfault when custom pinning is used

Message ID 20200423175857.20180-2-jhs@emojatatu.com
State Changes Requested
Delegated to: stephen hemminger
Headers show
Series bpf: memory access fixes | expand

Commit Message

Jamal Hadi Salim April 23, 2020, 5:58 p.m. UTC 
From: Jamal Hadi Salim <jhs@mojatatu.com>

How to recreate:
1) Create a custome pinned map - example something along
   the lines of:

   struct bpf_elf_map SEC("maps") my_map = {
        .type = BPF_MAP_TYPE_HASH,
        .size_key = sizeof(struct my_key),
        .size_value = sizeof(struct my_value),
        .pinning = 6,
        .max_elem = 16,
   };

2) load the program with tc filter and tc will segfault.

The reason is we strcat past memory allocated using asprintf.
Solution - just use a static buffer of max possible size of 4k.

Fixes: c0325b06382 ("bpf: replace snprintf with asprintf when dealing with long buffers")

Signed-off-by: Jamal Hadi Salim <jhs@mojatatu.com>
---
 lib/bpf.c | 9 ++-------
 1 file changed, 2 insertions(+), 7 deletions(-)
diff mbox series

Patch

diff --git a/lib/bpf.c b/lib/bpf.c
index 10cf9bf4..73f3a590 100644
--- a/lib/bpf.c
+++ b/lib/bpf.c
@@ -1509,16 +1509,12 @@  out:
 static int bpf_make_custom_path(const struct bpf_elf_ctx *ctx,
 				const char *todo)
 {
-	char *tmp = NULL;
+	char tmp[PATH_MAX];
 	char *rem = NULL;
 	char *sub;
 	int ret;
 
-	ret = asprintf(&tmp, "%s/../", bpf_get_work_dir(ctx->type));
-	if (ret < 0) {
-		fprintf(stderr, "asprintf failed: %s\n", strerror(errno));
-		goto out;
-	}
+	snprintf(tmp, PATH_MAX, "%s/../", bpf_get_work_dir(ctx->type));
 
 	ret = asprintf(&rem, "%s/", todo);
 	if (ret < 0) {
@@ -1547,7 +1543,6 @@  static int bpf_make_custom_path(const struct bpf_elf_ctx *ctx,
 	ret = 0;
 out:
 	free(rem);
-	free(tmp);
 	return ret;
 }