patch 'net/mlx5: fix heap buffer overflow in sample group match' has been queued to stable release 25.11.1

Kevin Traynor ktraynor at redhat.com
Fri Mar 27 11:01:10 CET 2026

Previous message (by thread): patch 'net/mlx5: fix meter ASO action leak on release to pool' has been queued to stable release 25.11.1
Next message (by thread): patch 'net/mlx5: fix VXLAN and NVGRE encap in async flow API' has been queued to stable release 25.11.1
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Hi,

FYI, your patch has been queued to stable release 25.11.1

Note it hasn't been pushed to http://dpdk.org/browse/dpdk-stable yet.
It will be pushed if I get no objections before 03/31/26. So please
shout if anyone has objections.

Also note that after the patch there's a diff of the upstream commit vs the
patch applied to the branch. This will indicate if there was any rebasing
needed to apply to the stable branch. If there were code changes for rebasing
(ie: not only metadata diffs), please double check that the rebase was
correctly done.

Queued patches are on a temporary branch at:
https://github.com/kevintraynor/dpdk-stable

This queued commit can be viewed at:
https://github.com/kevintraynor/dpdk-stable/commit/1af0c93a8e92e52b8a230b61b212f7aa5a3857ae

Thanks.

Kevin

---
>From 1af0c93a8e92e52b8a230b61b212f7aa5a3857ae Mon Sep 17 00:00:00 2001
From: Shani Peretz <shperetz at nvidia.com>
Date: Sun, 15 Mar 2026 10:44:04 +0200
Subject: [PATCH] net/mlx5: fix heap buffer overflow in sample group match

[ upstream commit bc2738c4fe2d9d96b0a6700dc7ce7da6ef4f8e85 ]

The cached group match callback compares serialized actions
using memcmp with the size of the new actions buffer.
When the new actions serialize to a larger buffer than an existing
cached entry, memcmp reads past the cached entry's heap allocation,
causing a heap-buffer-overflow detected by AddressSanitizer.

Add a size comparison before the memcmp so that entries with
different serialized sizes are rejected as non-matching immediately,
avoiding the out-of-bounds read.

Fixes: d986f04d6529 ("net/mlx5: add functions for non-template flow sample")

Signed-off-by: Shani Peretz <shperetz at nvidia.com>
Acked-by: Dariusz Sosnowski <dsosnowski at nvidia.com>
---
 drivers/net/mlx5/mlx5_nta_sample.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/drivers/net/mlx5/mlx5_nta_sample.c b/drivers/net/mlx5/mlx5_nta_sample.c
index 0b7b3d0c8e..848f942cb6 100644
--- a/drivers/net/mlx5/mlx5_nta_sample.c
+++ b/drivers/net/mlx5/mlx5_nta_sample.c
@@ -294,4 +294,6 @@ mlx5_nta_sample_cached_group_match(void *cache_ctx __rte_unused,
 	if (actions_size < 0)
 		return ~0;
+	if ((size_t)actions_size != cached_obj->actions_size)
+		return ~0;
 	return memcmp(cached_obj->actions, obj_ctx->actions, actions_size);
 }
-- 
2.53.0

---
  Diff of the applied patch vs upstream commit (please double-check if non-empty:
---
--- -	2026-03-27 09:58:26.455354902 +0000
+++ 0010-net-mlx5-fix-heap-buffer-overflow-in-sample-group-ma.patch	2026-03-27 09:58:26.131679930 +0000
@@ -1 +1 @@
-From bc2738c4fe2d9d96b0a6700dc7ce7da6ef4f8e85 Mon Sep 17 00:00:00 2001
+From 1af0c93a8e92e52b8a230b61b212f7aa5a3857ae Mon Sep 17 00:00:00 2001
@@ -5,0 +6,2 @@
+[ upstream commit bc2738c4fe2d9d96b0a6700dc7ce7da6ef4f8e85 ]
+
@@ -17 +18,0 @@
-Cc: stable at dpdk.org
@@ -26 +27 @@
-index c637b0ede3..158720fb87 100644
+index 0b7b3d0c8e..848f942cb6 100644

Previous message (by thread): patch 'net/mlx5: fix meter ASO action leak on release to pool' has been queued to stable release 25.11.1
Next message (by thread): patch 'net/mlx5: fix VXLAN and NVGRE encap in async flow API' has been queued to stable release 25.11.1
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

More information about the stable mailing list