While looking into extending telemetry for other uses, I noticed a pattern of unsafe string handling in the command handlers. They run one thread per client connection but parse parameters with non-reentrant strtok(), and convert ids with atoi()/unchecked strtoul() that silently truncate or alias out-of-range values; in eth_rx the strtok() continuation chain can also dereference freed memory.
This series covers the library code (telemetry, ethdev, dmadev, security, eventdev, eth_rx, timer). A follow-up is needed for the same strtok() use in drivers. They are marked for stable: the races and the use-after-free are real and the changes are low-risk to backport. But severity is low since telemetry is not a remote interface, but these are the kind of issues likely to be found by AI security scanning tools. In future, atoi() and strtok() look worth adding to the forbidden tokens list in devtools/checkpatches.sh. Stephen Hemminger (8): telemetry: fix thread-unsafe command parsing ethdev: make telemetry parameter parsing thread-safe dmadev: validate telemetry parameters security: harden telemetry parameter parsing eventdev: remove strtok from telemetry handlers eventdev/eth_rx: fix thread-unsafe telemetry parsing eventdev/eth_rx: reject out-of-range telemetry adapter ID eventdev/timer: reject out-of-range ID lib/dmadev/rte_dmadev.c | 44 +++++--- lib/ethdev/rte_ethdev_telemetry.c | 12 ++- lib/eventdev/rte_event_eth_rx_adapter.c | 97 ++++++++--------- lib/eventdev/rte_event_timer_adapter.c | 22 ++-- lib/eventdev/rte_eventdev.c | 136 +++++++++++------------- lib/security/rte_security.c | 41 ++++--- lib/telemetry/telemetry.c | 5 +- 7 files changed, 186 insertions(+), 171 deletions(-) -- 2.53.0
