From: Maayan Kashani <mkashani@nvidia.com>
To: <dev@dpdk.org>
Cc: <mkashani@nvidia.com>, <rasland@nvidia.com>, <stable@dpdk.org>,
"Dariusz Sosnowski" <dsosnowski@nvidia.com>,
Viacheslav Ovsiienko <viacheslavo@nvidia.com>,
Bing Zhao <bingz@nvidia.com>, Ori Kam <orika@nvidia.com>,
Suanming Mou <suanmingm@nvidia.com>,
Matan Azrad <matan@nvidia.com>,
Alexander Kozyrev <akozyrev@nvidia.com>
Subject: [PATCH] net/mlx5: fix stack-buffer-overflow in indexed based rules
Date: Wed, 30 Jul 2025 10:16:59 +0300 [thread overview]
Message-ID: <20250730071700.187675-1-mkashani@nvidia.com> (raw)
During asynchronous flow creation by index,
the items array was initialized with only one element,
but the table metadata did not update the item count accordingly.
This mismatch led to an out-of-bounds memcpy operation,
as the code attempted to copy more elements than were actually allocated.
To resolve this, since item matching is disregarded when inserting a
rule by index (the rule is triggered when a packet reaches the
specified index),
the fix is to skip preparing the items array in this case.
Instead, the items array should only contain a single element,
RTE_FLOW_ITEM_TYPE_END, which indicates no match pattern is needed.
This prevents unsafe memory operations and aligns the array size
with its intended usage.
Fixes: 36c379c82e82 ("net/mlx5: add flow rule insertion by index with pattern")
Cc: stable@dpdk.org
Signed-off-by: Maayan Kashani <mkashani@nvidia.com>
Acked-by: Dariusz Sosnowski <dsosnowski@nvidia.com>
---
drivers/net/mlx5/mlx5_flow_hw.c | 12 ++++++++----
1 file changed, 8 insertions(+), 4 deletions(-)
diff --git a/drivers/net/mlx5/mlx5_flow_hw.c b/drivers/net/mlx5/mlx5_flow_hw.c
index 6dc16f80d32..016370f68bf 100644
--- a/drivers/net/mlx5/mlx5_flow_hw.c
+++ b/drivers/net/mlx5/mlx5_flow_hw.c
@@ -3982,10 +3982,14 @@ flow_hw_async_flow_create_generic(struct rte_eth_dev *dev,
flow->table, actions,
rule_acts, queue, &sub_error))
goto error;
- rule_items = flow_hw_get_rule_items(dev, table, items,
- pattern_template_index, &priv->hw_q[queue].pp);
- if (!rule_items)
- goto error;
+ if (insertion_type == RTE_FLOW_TABLE_INSERTION_TYPE_INDEX) {
+ rule_items = items;
+ } else {
+ rule_items = flow_hw_get_rule_items(dev, table, items,
+ pattern_template_index, &priv->hw_q[queue].pp);
+ if (!rule_items)
+ goto error;
+ }
if (likely(!rte_flow_template_table_resizable(dev->data->port_id, &table->cfg.attr))) {
ret = mlx5dr_rule_create(table->matcher_info[0].matcher,
pattern_template_index, rule_items,
--
2.21.0
reply other threads:[~2025-07-30 7:17 UTC|newest]
Thread overview: [no followups] expand[flat|nested] mbox.gz Atom feed
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20250730071700.187675-1-mkashani@nvidia.com \
--to=mkashani@nvidia.com \
--cc=akozyrev@nvidia.com \
--cc=bingz@nvidia.com \
--cc=dev@dpdk.org \
--cc=dsosnowski@nvidia.com \
--cc=matan@nvidia.com \
--cc=orika@nvidia.com \
--cc=rasland@nvidia.com \
--cc=stable@dpdk.org \
--cc=suanmingm@nvidia.com \
--cc=viacheslavo@nvidia.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).