[PATCH] net/mlx5: fix stack-buffer-overflow in indexed based rules

[PATCH] net/mlx5: fix stack-buffer-overflow in indexed based rules

[Maayan Kashani]

During asynchronous flow creation by index,
the items array was initialized with only one element,
but the table metadata did not update the item count accordingly.
This mismatch led to an out-of-bounds memcpy operation,
as the code attempted to copy more elements than were actually allocated.

To resolve this, since item matching is disregarded when inserting a
rule by index (the rule is triggered when a packet reaches the
specified index),
the fix is to skip preparing the items array in this case.
Instead, the items array should only contain a single element,
RTE_FLOW_ITEM_TYPE_END, which indicates no match pattern is needed.
This prevents unsafe memory operations and aligns the array size
with its intended usage.

Fixes: 36c379c82e82 ("net/mlx5: add flow rule insertion by index with pattern")
Cc: stable@dpdk.org

Signed-off-by: Maayan Kashani <mkashani@nvidia.com>
Acked-by: Dariusz Sosnowski <dsosnowski@nvidia.com>
---
 drivers/net/mlx5/mlx5_flow_hw.c | 12 ++++++++----
 1 file changed, 8 insertions(+), 4 deletions(-)

diff --git a/drivers/net/mlx5/mlx5_flow_hw.c b/drivers/net/mlx5/mlx5_flow_hw.c
index 6dc16f80d32..016370f68bf 100644
--- a/drivers/net/mlx5/mlx5_flow_hw.c
+++ b/drivers/net/mlx5/mlx5_flow_hw.c
@@ -3982,10 +3982,14 @@ flow_hw_async_flow_create_generic(struct rte_eth_dev *dev,
 				      flow->table, actions,
 				      rule_acts, queue, &sub_error))
 		goto error;
-	rule_items = flow_hw_get_rule_items(dev, table, items,
-					    pattern_template_index, &priv->hw_q[queue].pp);
-	if (!rule_items)
-		goto error;
+	if (insertion_type == RTE_FLOW_TABLE_INSERTION_TYPE_INDEX) {
+		rule_items = items;
+	} else {
+		rule_items = flow_hw_get_rule_items(dev, table, items,
+						    pattern_template_index, &priv->hw_q[queue].pp);
+		if (!rule_items)
+			goto error;
+	}
 	if (likely(!rte_flow_template_table_resizable(dev->data->port_id, &table->cfg.attr))) {
 		ret = mlx5dr_rule_create(table->matcher_info[0].matcher,
 					 pattern_template_index, rule_items,
-- 
2.21.0

Re: [PATCH] net/mlx5: fix stack-buffer-overflow in indexed based rules

[Raslan Darawsheh]

Hi,


On 30/07/2025 10:16 AM, Maayan Kashani wrote:
> During asynchronous flow creation by index,
> the items array was initialized with only one element,
> but the table metadata did not update the item count accordingly.
> This mismatch led to an out-of-bounds memcpy operation,
> as the code attempted to copy more elements than were actually allocated.
> 
> To resolve this, since item matching is disregarded when inserting a
> rule by index (the rule is triggered when a packet reaches the
> specified index),
> the fix is to skip preparing the items array in this case.
> Instead, the items array should only contain a single element,
> RTE_FLOW_ITEM_TYPE_END, which indicates no match pattern is needed.
> This prevents unsafe memory operations and aligns the array size
> with its intended usage.
> 
> Fixes: 36c379c82e82 ("net/mlx5: add flow rule insertion by index with pattern")
> Cc: stable@dpdk.org
> 
> Signed-off-by: Maayan Kashani <mkashani@nvidia.com>
> Acked-by: Dariusz Sosnowski <dsosnowski@nvidia.com>

Patch applied to next-net-mlx,

Kindest regards
Raslan Darawsheh