The EAL hotplug multi-process messaging uses a fixed-size buffer
(EAL_DEV_MP_DEV_ARGS_MAX_LEN, 128 bytes) for device arguments.
When devargs exceeds this limit, strlcpy silently truncates the
string. This causes secondary processes to receive incomplete
devargs during hotplug re-add, leading to failed port
re-initialization.
For example, a MANA PCI device with 6 mac= arguments:
mac=AA:BB:CC:DD:EE:01,mac=AA:BB:CC:DD:EE:02,
mac=AA:BB:CC:DD:EE:03,mac=AA:BB:CC:DD:EE:04,
mac=AA:BB:CC:DD:EE:05,mac=AA:BB:CC:DD:EE:06
produces a 131-byte devargs string that gets silently truncated
to 127 bytes, losing the last MAC address.
Return -E2BIG from rte_dev_probe() when devargs would be truncated,
instead of silently corrupting data. rte_dev_remove() does not need
the same check because the length was already validated at probe time.
Fixes: 244d5130719c ("eal: enable hotplug on multi-process")
Cc: [email protected]
Signed-off-by: Long Li <[email protected]>
---
v2:
- Added Fixes: tag and Cc: [email protected].
- Moved the length check before memset() in rte_dev_probe().
- Removed the redundant length check from rte_dev_remove();
devargs length is already validated at probe time.
- Dropped the [2/2] meson-options patch from this series; it will
be sent separately.
lib/eal/common/eal_common_dev.c | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/lib/eal/common/eal_common_dev.c b/lib/eal/common/eal_common_dev.c
index 48b631532a..f3fc4d585e 100644
--- a/lib/eal/common/eal_common_dev.c
+++ b/lib/eal/common/eal_common_dev.c
@@ -271,6 +271,12 @@ rte_dev_probe(const char *devargs)
struct rte_device *dev;
int ret;
+ if (strlen(devargs) >= EAL_DEV_MP_DEV_ARGS_MAX_LEN) {
+ EAL_LOG(ERR, "devargs truncated (len %zu, max %d)",
+ strlen(devargs), EAL_DEV_MP_DEV_ARGS_MAX_LEN);
+ return -E2BIG;
+ }
+
memset(&req, 0, sizeof(req));
req.t = EAL_DEV_REQ_TYPE_ATTACH;
strlcpy(req.devargs, devargs, EAL_DEV_MP_DEV_ARGS_MAX_LEN);
--
2.43.0
