[PATCH v5 04/12] net/ixgbe: fix potential null dereference in IPsec

Bruce Richardson bruce.richardson at intel.com
Thu Feb 12 18:15:40 CET 2026

Previous message (by thread): [PATCH v5 04/12] net/ixgbe: fix potential null dereference in IPsec
Next message (by thread): [PATCH v5 04/12] net/ixgbe: fix potential null dereference in IPsec
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Thu, Feb 12, 2026 at 12:53:27PM +0000, Anatoly Burakov wrote:
> Currently, IPsec flow parser will look for IPv4 flow item in the pattern,
> and then pass it to IPsec SA flow function. However, we do not check if the
> spec pointer is actually valid. Fix by adding the check.
> 
> Fixes: 9a0752f498d2 ("net/ixgbe: enable inline IPsec")
> Cc: radu.nicolau at intel.com
> Cc: stable at dpdk.org
> 
> Signed-off-by: Anatoly Burakov <anatoly.burakov at intel.com>
> ---

Acked-by: Bruce Richardson <bruce.richardson at intel.com>

>  drivers/net/intel/ixgbe/ixgbe_flow.c | 6 ++++++
>  1 file changed, 6 insertions(+)
> 
> diff --git a/drivers/net/intel/ixgbe/ixgbe_flow.c b/drivers/net/intel/ixgbe/ixgbe_flow.c
> index 81b983ce69..90a24806d2 100644
> --- a/drivers/net/intel/ixgbe/ixgbe_flow.c
> +++ b/drivers/net/intel/ixgbe/ixgbe_flow.c
> @@ -251,6 +251,12 @@ cons_parse_ntuple_filter(const struct rte_flow_attr *attr,
>  			}
>  			item = next_no_void_pattern(pattern, item);
>  		}
> +		if (item->spec == NULL) {
> +			rte_flow_error_set(error, EINVAL,
> +					RTE_FLOW_ERROR_TYPE_ITEM_SPEC, item,
> +					"NULL IP pattern.");
> +			return -rte_errno;
> +		}
>  
>  		filter->proto = IPPROTO_ESP;
>  		return ixgbe_crypto_add_ingress_sa_from_flow(conf, item->spec,
> -- 
> 2.47.3
>

Previous message (by thread): [PATCH v5 04/12] net/ixgbe: fix potential null dereference in IPsec
Next message (by thread): [PATCH v5 04/12] net/ixgbe: fix potential null dereference in IPsec
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

More information about the dev mailing list