From: Zhushuai Yin <yinzhushuai@huawei.com> The file_path caused a stack overflow due to the use of 4096 bytes of stack memory, leading to insufficient stack memory and a memory overwrite. This resulted in the addresses of the func and funcargs within the async job being overwritten. Signed-off-by: Zhushuai Yin <yinzhushuai@huawei.com> Signed-off-by: Qi Tao <taoqi10@huawei.com> --- wd_util.c | 24 +++++++++++++++++++----- 1 file changed, 19 insertions(+), 5 deletions(-) diff --git a/wd_util.c b/wd_util.c index 56d85d49..e8a29344 100644 --- a/wd_util.c +++ b/wd_util.c @@ -34,6 +34,8 @@ #define WD_DRV_LIB_DIR "uadk" +#define WD_PATH_DIR_NUM 2 + struct msg_pool { /* message array allocated dynamically */ void *msgs; @@ -2168,8 +2170,7 @@ static void dladdr_empty(void) int wd_get_lib_file_path(const char *lib_file, char *lib_path, bool is_dir) { - char file_path[PATH_MAX] = {0}; - char path[PATH_MAX] = {0}; + char *path_buf, *path, *file_path; Dl_info file_info; int len, rc, i; @@ -2179,6 +2180,14 @@ int wd_get_lib_file_path(const char *lib_file, char *lib_path, bool is_dir) WD_ERR("fail to get lib file path.\n"); return -WD_EINVAL; } + + path_buf = calloc(WD_PATH_DIR_NUM, sizeof(char) * PATH_MAX); + if (!path_buf) { + WD_ERR("fail to calloc path_buf.\n"); + return -WD_ENOMEM; + } + file_path = path_buf; + path = path_buf + PATH_MAX; strncpy(file_path, file_info.dli_fname, PATH_MAX - 1); /* Clear the file path's tail file name */ @@ -2193,19 +2202,24 @@ int wd_get_lib_file_path(const char *lib_file, char *lib_path, bool is_dir) if (is_dir) { len = snprintf(lib_path, PATH_MAX, "%s/%s", file_path, WD_DRV_LIB_DIR); if (len >= PATH_MAX) - return -WD_EINVAL; + goto free_path; } else { len = snprintf(lib_path, PATH_MAX, "%s/%s/%s", file_path, WD_DRV_LIB_DIR, lib_file); if (len >= PATH_MAX) - return -WD_EINVAL; + goto free_path; } if (realpath(lib_path, path) == NULL) { WD_ERR("invalid: %s: no such file or directory!\n", path); - return -WD_EINVAL; + goto free_path; } + free(path_buf); return 0; + +free_path: + free(path_buf); + return -WD_EINVAL; } /** -- 2.33.0