From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from rcdn-iport-2.cisco.com (rcdn-iport-2.cisco.com [173.37.86.73]) by dpdk.org (Postfix) with ESMTP id 777742C38; Sat, 2 Mar 2019 11:44:12 +0100 (CET) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=2755; q=dns/txt; s=iport; t=1551523452; x=1552733052; h=from:to:cc:subject:date:message-id:in-reply-to: references; bh=he4ktedDHvic2UrYgYx+RP6VxHvgT2Ka5BFBiaSTAos=; b=fUJbGbhjufVp876TjRcrY6THb+J2GMUVpJraVovGFIHqmLQfdOS33T3W reH6STFGJ27oUuqsyFiVdUe47yuDJiw8QtYdilBiUwbJyvO+4en4+7JD1 K1vKjVwsAB3dNnAQH02f1PnxnclLNiens/v5z4gTczr8ef4Gw3VS3YKyC k=; X-IronPort-AV: E=Sophos;i="5.58,431,1544486400"; d="scan'208";a="530643131" Received: from alln-core-5.cisco.com ([173.36.13.138]) by rcdn-iport-2.cisco.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 02 Mar 2019 10:44:11 +0000 Received: from cisco.com (savbu-usnic-a.cisco.com [10.193.184.48]) by alln-core-5.cisco.com (8.15.2/8.15.2) with ESMTP id x22AiB2T029802; Sat, 2 Mar 2019 10:44:11 GMT Received: by cisco.com (Postfix, from userid 508933) id 7811820F2001; Sat, 2 Mar 2019 02:44:11 -0800 (PST) From: Hyong Youb Kim To: Ferruh Yigit Cc: dev@dpdk.org, John Daley , Hyong Youb Kim , stable@dpdk.org Date: Sat, 2 Mar 2019 02:42:43 -0800 Message-Id: <20190302104251.32565-6-hyonkim@cisco.com> X-Mailer: git-send-email 2.16.2 In-Reply-To: <20190302104251.32565-1-hyonkim@cisco.com> References: <20190302104251.32565-1-hyonkim@cisco.com> X-Outbound-SMTP-Client: 10.193.184.48, savbu-usnic-a.cisco.com X-Outbound-Node: alln-core-5.cisco.com Subject: [dpdk-dev] [PATCH v2 05/13] net/enic: check for unsupported flow item types X-BeenThere: dev@dpdk.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: DPDK patches and discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 02 Mar 2019 10:44:13 -0000 Currently a pattern with an unsupported item type causes segfault, because the flow handler is using the type as an array index without checking bounds. Add an explicit check for unsupported item types and avoid out-of-bound accesses. Fixes: 6ced137607d0 ("net/enic: flow API for NICs with advanced filters enabled") Cc: stable@dpdk.org Signed-off-by: Hyong Youb Kim Reviewed-by: John Daley --- drivers/net/enic/enic_flow.c | 18 +++++++++++++++--- 1 file changed, 15 insertions(+), 3 deletions(-) diff --git a/drivers/net/enic/enic_flow.c b/drivers/net/enic/enic_flow.c index e12a6ec73..c60476c8c 100644 --- a/drivers/net/enic/enic_flow.c +++ b/drivers/net/enic/enic_flow.c @@ -40,6 +40,8 @@ struct enic_items { struct enic_filter_cap { /** list of valid items and their handlers and attributes. */ const struct enic_items *item_info; + /* Max type in the above list, used to detect unsupported types */ + enum rte_flow_item_type max_item_type; }; /* functions for copying flow actions into enic actions */ @@ -257,12 +259,15 @@ static const struct enic_items enic_items_v3[] = { static const struct enic_filter_cap enic_filter_cap[] = { [FILTER_IPV4_5TUPLE] = { .item_info = enic_items_v1, + .max_item_type = RTE_FLOW_ITEM_TYPE_TCP, }, [FILTER_USNIC_IP] = { .item_info = enic_items_v2, + .max_item_type = RTE_FLOW_ITEM_TYPE_VXLAN, }, [FILTER_DPDK_1] = { .item_info = enic_items_v3, + .max_item_type = RTE_FLOW_ITEM_TYPE_VXLAN, }, }; @@ -946,7 +951,7 @@ item_stacking_valid(enum rte_flow_item_type prev_item, */ static int enic_copy_filter(const struct rte_flow_item pattern[], - const struct enic_items *items_info, + const struct enic_filter_cap *cap, struct filter_v2 *enic_filter, struct rte_flow_error *error) { @@ -969,7 +974,14 @@ enic_copy_filter(const struct rte_flow_item pattern[], if (item->type == RTE_FLOW_ITEM_TYPE_VOID) continue; - item_info = &items_info[item->type]; + item_info = &cap->item_info[item->type]; + if (item->type > cap->max_item_type || + item_info->copy_item == NULL) { + rte_flow_error_set(error, ENOTSUP, + RTE_FLOW_ERROR_TYPE_ITEM, + NULL, "Unsupported item."); + return -rte_errno; + } /* check to see if item stacking is valid */ if (!item_stacking_valid(prev_item, item_info, is_first_item)) @@ -1423,7 +1435,7 @@ enic_flow_parse(struct rte_eth_dev *dev, return -rte_errno; } enic_filter->type = enic->flow_filter_mode; - ret = enic_copy_filter(pattern, enic_filter_cap->item_info, + ret = enic_copy_filter(pattern, enic_filter_cap, enic_filter, error); return ret; } -- 2.16.2