patch 'common/cnxk: fix buffer overflow in SA setup' has been queued to stable release 25.11.1

[Kevin Traynor]

Hi,

FYI, your patch has been queued to stable release 25.11.1

Note it hasn't been pushed to http://dpdk.org/browse/dpdk-stable yet.
It will be pushed if I get no objections before 03/23/26. So please
shout if anyone has objections.

Also note that after the patch there's a diff of the upstream commit vs the
patch applied to the branch. This will indicate if there was any rebasing
needed to apply to the stable branch. If there were code changes for rebasing
(ie: not only metadata diffs), please double check that the rebase was
correctly done.

Queued patches are on a temporary branch at:
https://github.com/kevintraynor/dpdk-stable

This queued commit can be viewed at:
https://github.com/kevintraynor/dpdk-stable/commit/af60153f551d590171ff528255bbe73922c4c91d

Thanks.

Kevin

---
>From af60153f551d590171ff528255bbe73922c4c91d Mon Sep 17 00:00:00 2001
From: Stephen Hemminger <stephen at networkplumber.org>
Date: Thu, 5 Feb 2026 09:55:56 -0800
Subject: [PATCH] common/cnxk: fix buffer overflow in SA setup

[ upstream commit 99a23d765ec43389267c9c1958e60bd41f54585b ]

The nix_inl_reass_inb_sa_tbl_setup() function initializes inb_sa_sz
to 1 byte, then allocates a buffer of that size. However, the buffer
is subsequently passed to roc_ow_reass_inb_sa_init() which performs:

    memset(sa, 0, sizeof(struct roc_ow_ipsec_inb_sa));

This writes 808 bytes into a 1-byte allocation, causing heap corruption.

This bug was detected by GCC's -Wstringop-overflow warning when
building with LTO, which enables cross-compilation-unit inlining
and allows the compiler to track the allocation size through to
the memset call.

Fix by initializing inb_sa_sz to ROC_NIX_INL_OW_IPSEC_INB_SA_SZ,
which is the standard macro used elsewhere in this file for OW
(Sobek) inbound SA allocations.

Bugzilla ID: 1513
Fixes: fc9a711b5c8f ("common/cnxk: add NIX inline reassembly profile config")

Signed-off-by: Stephen Hemminger <stephen at networkplumber.org>
Acked-by: Nithin Dabilpuram <ndabilpuram at marvell.com>
---
 drivers/common/cnxk/roc_nix_inl.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/common/cnxk/roc_nix_inl.c b/drivers/common/cnxk/roc_nix_inl.c
index 8aa18dea8c..39510bbfcf 100644
--- a/drivers/common/cnxk/roc_nix_inl.c
+++ b/drivers/common/cnxk/roc_nix_inl.c
@@ -584,5 +584,5 @@ nix_inl_reass_inb_sa_tbl_setup(struct roc_nix *roc_nix)
 	uint64_t res_addr_offset = 0;
 	uint64_t def_cptq = 0;
-	size_t inb_sa_sz = 1;
+	size_t inb_sa_sz = ROC_NIX_INL_OW_IPSEC_INB_SA_SZ;
 	uint8_t profile_id;
 	struct mbox *mbox;
-- 
2.53.0

---
  Diff of the applied patch vs upstream commit (please double-check if non-empty:
---
--- -	2026-03-19 10:01:07.202151977 +0000
+++ 0002-common-cnxk-fix-buffer-overflow-in-SA-setup.patch	2026-03-19 10:01:07.057331264 +0000
@@ -1 +1 @@
-From 99a23d765ec43389267c9c1958e60bd41f54585b Mon Sep 17 00:00:00 2001
+From af60153f551d590171ff528255bbe73922c4c91d Mon Sep 17 00:00:00 2001
@@ -5,0 +6,2 @@
+[ upstream commit 99a23d765ec43389267c9c1958e60bd41f54585b ]
+
@@ -25 +26,0 @@
-Cc: stable at dpdk.org
@@ -34 +35 @@
-index a21c40acf1..9337dd476b 100644
+index 8aa18dea8c..39510bbfcf 100644
@@ -37 +38 @@
-@@ -590,5 +590,5 @@ nix_inl_reass_inb_sa_tbl_setup(struct roc_nix *roc_nix)
+@@ -584,5 +584,5 @@ nix_inl_reass_inb_sa_tbl_setup(struct roc_nix *roc_nix)