[PATCH] net/mlx5: fix stack-buffer-overflow in indexed based rules

DPDK patches and discussions
 help / color / mirror / Atom feed

* [PATCH] net/mlx5: fix stack-buffer-overflow in indexed based rules
@ 2025-07-30  7:16 Maayan Kashani
  0 siblings, 0 replies; only message in thread
From: Maayan Kashani @ 2025-07-30  7:16 UTC (permalink / raw)
  To: dev
  Cc: mkashani, rasland, stable, Dariusz Sosnowski,
	Viacheslav Ovsiienko, Bing Zhao, Ori Kam, Suanming Mou,
	Matan Azrad, Alexander Kozyrev

During asynchronous flow creation by index,
the items array was initialized with only one element,
but the table metadata did not update the item count accordingly.
This mismatch led to an out-of-bounds memcpy operation,
as the code attempted to copy more elements than were actually allocated.

To resolve this, since item matching is disregarded when inserting a
rule by index (the rule is triggered when a packet reaches the
specified index),
the fix is to skip preparing the items array in this case.
Instead, the items array should only contain a single element,
RTE_FLOW_ITEM_TYPE_END, which indicates no match pattern is needed.
This prevents unsafe memory operations and aligns the array size
with its intended usage.

Fixes: 36c379c82e82 ("net/mlx5: add flow rule insertion by index with pattern")
Cc: stable@dpdk.org

Signed-off-by: Maayan Kashani <mkashani@nvidia.com>
Acked-by: Dariusz Sosnowski <dsosnowski@nvidia.com>
---
 drivers/net/mlx5/mlx5_flow_hw.c | 12 ++++++++----
 1 file changed, 8 insertions(+), 4 deletions(-)

diff --git a/drivers/net/mlx5/mlx5_flow_hw.c b/drivers/net/mlx5/mlx5_flow_hw.c
index 6dc16f80d32..016370f68bf 100644
--- a/drivers/net/mlx5/mlx5_flow_hw.c
+++ b/drivers/net/mlx5/mlx5_flow_hw.c
@@ -3982,10 +3982,14 @@ flow_hw_async_flow_create_generic(struct rte_eth_dev *dev,
 				      flow->table, actions,
 				      rule_acts, queue, &sub_error))
 		goto error;
-	rule_items = flow_hw_get_rule_items(dev, table, items,
-					    pattern_template_index, &priv->hw_q[queue].pp);
-	if (!rule_items)
-		goto error;
+	if (insertion_type == RTE_FLOW_TABLE_INSERTION_TYPE_INDEX) {
+		rule_items = items;
+	} else {
+		rule_items = flow_hw_get_rule_items(dev, table, items,
+						    pattern_template_index, &priv->hw_q[queue].pp);
+		if (!rule_items)
+			goto error;
+	}
 	if (likely(!rte_flow_template_table_resizable(dev->data->port_id, &table->cfg.attr))) {
 		ret = mlx5dr_rule_create(table->matcher_info[0].matcher,
 					 pattern_template_index, rule_items,
-- 
2.21.0


^ permalink raw reply	[flat|nested] only message in thread

only message in thread, other threads:[~2025-07-30  7:17 UTC | newest]

Thread overview: (only message) (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2025-07-30  7:16 [PATCH] net/mlx5: fix stack-buffer-overflow in indexed based rules Maayan Kashani

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).