patch 'net/af_packet: fix receive buffer overflow' has been queued to stable release 25.11.1

Kevin Traynor ktraynor at redhat.com
Thu Mar 19 11:03:06 CET 2026

Previous message (by thread): patch 'net/af_packet: fix MTU set data size calculation' has been queued to stable release 25.11.1
Next message (by thread): patch 'hash: avoid leaking entries on RCU defer queue failure' has been queued to stable release 25.11.1
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Hi,

FYI, your patch has been queued to stable release 25.11.1

Note it hasn't been pushed to http://dpdk.org/browse/dpdk-stable yet.
It will be pushed if I get no objections before 03/23/26. So please
shout if anyone has objections.

Also note that after the patch there's a diff of the upstream commit vs the
patch applied to the branch. This will indicate if there was any rebasing
needed to apply to the stable branch. If there were code changes for rebasing
(ie: not only metadata diffs), please double check that the rebase was
correctly done.

Queued patches are on a temporary branch at:
https://github.com/kevintraynor/dpdk-stable

This queued commit can be viewed at:
https://github.com/kevintraynor/dpdk-stable/commit/203e04a9da9d8419ee31a6d892d8d58cb192a631

Thanks.

Kevin

---
>From 203e04a9da9d8419ee31a6d892d8d58cb192a631 Mon Sep 17 00:00:00 2001
From: Xavier Guillaume <xavier.guillaume at ovhcloud.com>
Date: Tue, 10 Mar 2026 12:21:21 +0100
Subject: [PATCH] net/af_packet: fix receive buffer overflow

[ upstream commit 3ed9a05bff5d0e06efb0bd5617a398337fe5eac7 ]

The receive path copies the entire incoming packet into a single
mbuf without verifying the packet fits. If the kernel interface
MTU is raised externally beyond the mbuf data room size, the
memcpy overflows the mbuf buffer.

Add a bounds check against the mbuf tailroom before copying.
Oversized packets are dropped and accounted for in the
rx_dropped_pkts counter, consistent with how the TX path
already drops oversized packets.

Fixes: 364e08f2bbc0 ("af_packet: add PMD for AF_PACKET-based virtual devices")

Signed-off-by: Xavier Guillaume <xavier.guillaume at ovhcloud.com>
---
 drivers/net/af_packet/rte_eth_af_packet.c | 10 ++++++++++
 1 file changed, 10 insertions(+)

diff --git a/drivers/net/af_packet/rte_eth_af_packet.c b/drivers/net/af_packet/rte_eth_af_packet.c
index 4ed5ee5737..837d6f1022 100644
--- a/drivers/net/af_packet/rte_eth_af_packet.c
+++ b/drivers/net/af_packet/rte_eth_af_packet.c
@@ -155,4 +155,14 @@ eth_af_packet_rx(void *queue, struct rte_mbuf **bufs, uint16_t nb_pkts)
 		}
 
+		/* drop packets that won't fit in the mbuf */
+		if (ppd->tp_snaplen > rte_pktmbuf_tailroom(mbuf)) {
+			rte_pktmbuf_free(mbuf);
+			ppd->tp_status = TP_STATUS_KERNEL;
+			if (++framenum >= framecount)
+				framenum = 0;
+			pkt_q->rx_dropped_pkts++;
+			continue;
+		}
+
 		/* packet will fit in the mbuf, go ahead and receive it */
 		rte_pktmbuf_pkt_len(mbuf) = rte_pktmbuf_data_len(mbuf) = ppd->tp_snaplen;
-- 
2.53.0

---
  Diff of the applied patch vs upstream commit (please double-check if non-empty:
---
--- -	2026-03-19 10:01:09.051410527 +0000
+++ 0068-net-af_packet-fix-receive-buffer-overflow.patch	2026-03-19 10:01:07.126483552 +0000
@@ -1 +1 @@
-From 3ed9a05bff5d0e06efb0bd5617a398337fe5eac7 Mon Sep 17 00:00:00 2001
+From 203e04a9da9d8419ee31a6d892d8d58cb192a631 Mon Sep 17 00:00:00 2001
@@ -5,0 +6,2 @@
+[ upstream commit 3ed9a05bff5d0e06efb0bd5617a398337fe5eac7 ]
+
@@ -17 +18,0 @@
-Cc: stable at dpdk.org
@@ -25 +26 @@
-index bfa68297a6..b04987aaf7 100644
+index 4ed5ee5737..837d6f1022 100644

Previous message (by thread): patch 'net/af_packet: fix MTU set data size calculation' has been queued to stable release 25.11.1
Next message (by thread): patch 'hash: avoid leaking entries on RCU defer queue failure' has been queued to stable release 25.11.1
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

More information about the stable mailing list