Re: [dpdk-dev] [PATCH v1 1/4] raw/ifpga/base: use trusted buffer to free

["Xu, Rosen" <rosen.xu@intel.com>]

Hi,

-----Original Message-----
From: Huang, Wei <wei.huang@intel.com> 
Sent: Wednesday, March 17, 2021 4:22 PM
To: dev@dpdk.org; Xu, Rosen <rosen.xu@intel.com>; Zhang, Qi Z <qi.z.zhang@intel.com>
Cc: stable@dpdk.org; Zhang, Tianfei <tianfei.zhang@intel.com>; Huang, Wei <wei.huang@intel.com>
Subject: [PATCH v1 1/4] raw/ifpga/base: use trusted buffer to free

In write_flash_image(), calling function "read" may taints variable "buf" which turn to an untrusted value as argument of "rte_free".

Coverity issue: 367477
Fixes: 7a4f3993f269 ("raw/ifpga: add FPGA RSU APIs")

Signed-off-by: Wei Huang <wei.huang@intel.com>
---
 drivers/raw/ifpga/base/ifpga_fme_rsu.c | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/drivers/raw/ifpga/base/ifpga_fme_rsu.c b/drivers/raw/ifpga/base/ifpga_fme_rsu.c
index 28198abd78..d32f1eccb1 100644
--- a/drivers/raw/ifpga/base/ifpga_fme_rsu.c
+++ b/drivers/raw/ifpga/base/ifpga_fme_rsu.c
@@ -92,6 +92,7 @@ static int write_flash_image(struct ifpga_sec_mgr *smgr, const char *image,
 	uint32_t offset)
 {
 	void *buf = NULL;
+	void *buf_to_free = NULL;
 	int retry = 0;
 	uint32_t length = 0;
 	uint32_t to_transfer = 0;
@@ -122,6 +123,7 @@ static int write_flash_image(struct ifpga_sec_mgr *smgr, const char *image,
 		close(fd);
 		return -ENOMEM;
 	}
+	buf_to_free = buf;
 
 	length = smgr->rsu_length;
 	one_percent = length / 100;
@@ -177,7 +179,7 @@ static int write_flash_image(struct ifpga_sec_mgr *smgr, const char *image,
 	printf("\n");
 
 end:
-	free(buf);
+	free(buf_to_free);
 	close(fd);
 	return ret;
 }
--
2.29.2

Acked-by: Rosen Xu <rosen.xu@intel.com>