[PATCH 2/2] net/cpfl: validate fieldvector offsets before copying keys

Pengpeng Hou pengpeng at iscas.ac.cn
Sat Mar 21 03:16:34 CET 2026 

The CPFL JSON parser accepts fieldvector offsets and SEM key sizes straight from the input description. Reject offsets that would write past the 64-byte SEM fieldvector storage and reject key sizes that would later overread the fixed source buffer or overflow the destination key buffer.

Signed-off-by: Pengpeng Hou <pengpeng at iscas.ac.cn>
---
 drivers/net/intel/cpfl/cpfl_flow_engine_fxp.c |  6 ++++++
 drivers/net/intel/cpfl/cpfl_flow_parser.c     | 12 ++++++++++++
 2 files changed, 18 insertions(+)

diff --git a/drivers/net/intel/cpfl/cpfl_flow_engine_fxp.c b/drivers/net/intel/cpfl/cpfl_flow_engine_fxp.c
index 361827c..d0bd909 100644
--- a/drivers/net/intel/cpfl/cpfl_flow_engine_fxp.c
+++ b/drivers/net/intel/cpfl/cpfl_flow_engine_fxp.c
@@ -173,6 +173,12 @@ cpfl_fxp_parse_pattern(const struct cpfl_flow_pr_action *pr_action,
 	if (pr_action->type == CPFL_JS_PR_ACTION_TYPE_SEM) {
 		struct cpfl_rule_info *rinfo = &rim->rules[i];
 
+		if (pr_action->sem.keysize > sizeof(pr_action->sem.cpfl_flow_pr_fv) ||
+		    pr_action->sem.keysize > sizeof(rinfo->sem.key)) {
+			PMD_DRV_LOG(ERR, "Invalid SEM key size.");
+			return false;
+		}
+
 		rinfo->type = CPFL_RULE_TYPE_SEM;
 		rinfo->sem.prof_id = pr_action->sem.prof;
 		rinfo->sem.sub_prof_id = pr_action->sem.subprof;
diff --git a/drivers/net/intel/cpfl/cpfl_flow_parser.c b/drivers/net/intel/cpfl/cpfl_flow_parser.c
index e7deb61..7fb2e7e 100644
--- a/drivers/net/intel/cpfl/cpfl_flow_parser.c
+++ b/drivers/net/intel/cpfl/cpfl_flow_parser.c
@@ -323,6 +323,10 @@ cpfl_flow_js_pattern_act_fv_proto(json_t *ob_value, struct cpfl_flow_js_fv *js_f
 		PMD_DRV_LOG(ERR, "Can not parse 'offset'.");
 		return -EINVAL;
 	}
+	if (offset >= CPFL_JS_SEM_FV_KEY_NUM_MAX / 2) {
+		PMD_DRV_LOG(ERR, "The 'offset' is too large.");
+		return -EINVAL;
+	}
 	ret = cpfl_json_t_to_uint16(ob_value, "mask", &mask);
 	if (ret < 0) {
 		PMD_DRV_LOG(ERR, "Can not parse 'mask'.");
@@ -391,6 +395,10 @@ cpfl_flow_js_pattern_act_fv(json_t *ob_fvs, struct cpfl_flow_js_pr_action *js_ac
 			PMD_DRV_LOG(ERR, "Can not parse 'offset'.");
 			goto err;
 		}
+		if (offset >= CPFL_JS_SEM_FV_KEY_NUM_MAX / 2) {
+			PMD_DRV_LOG(ERR, "The 'offset' is too large.");
+			goto err;
+		}
 		js_fv->offset = offset;
 
 		type = cpfl_json_t_to_string(object, "type");
@@ -454,6 +462,10 @@ cpfl_flow_js_pattern_per_act(json_t *ob_per_act, struct cpfl_flow_js_pr_action *
 			PMD_DRV_LOG(ERR, "Can not parse 'keysize'.");
 			return -EINVAL;
 		}
+		if (js_act->sem.keysize > sizeof(js_act->sem.cpfl_flow_pr_fv)) {
+			PMD_DRV_LOG(ERR, "The 'keysize' is too large.");
+			return -EINVAL;
+		}
 		ob_fvs = json_object_get(ob_sem, "fieldvectors");
 		ret = cpfl_flow_js_pattern_act_fv(ob_fvs, js_act);
 		if (ret < 0)
-- 
2.50.1 (Apple Git-155)

More information about the dev mailing list