From 82f60c9b5eafedab08bd3aadd3beec7f89b1744f Mon Sep 17 00:00:00 2001 From: Nandakumar Edamana Date: Sat, 22 Feb 2025 02:31:11 +0530 Subject: [PATCH] libbpf: Fix out-of-bound read In `set_kcfg_value_str`, an untrusted string is accessed with the assumption that it will be at least two characters long due to the presence of checks for opening and closing quotes. But the check for the closing quote (value[len - 1] != '"') misses the fact that it could be checking the opening quote itself in case of an invalid input that consists of just the opening quote. This commit adds an explicit check to make sure the string is at least two characters long. Signed-off-by: Nandakumar Edamana Signed-off-by: Andrii Nakryiko Link: https://lore.kernel.org/bpf/20250221210110.3182084-1-nandakumar@nandakumar.co.in Signed-off-by: Ihor Solodrai --- src/libbpf.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/libbpf.c b/src/libbpf.c index 6df2589..899e982 100644 --- a/src/libbpf.c +++ b/src/libbpf.c @@ -2106,7 +2106,7 @@ static int set_kcfg_value_str(struct extern_desc *ext, char *ext_val, } len = strlen(value); - if (value[len - 1] != '"') { + if (len < 2 || value[len - 1] != '"') { pr_warn("extern (kcfg) '%s': invalid string config '%s'\n", ext->name, value); return -EINVAL;