[PATCH v2 0/2] ethdev: fix out-of-bounds writes in rte_flow_conv()

Stephen Hemminger stephen at networkplumber.org
Thu Jun 11 20:15:47 CEST 2026

Previous message (by thread): [PATCH v2 2/2] ethdev: fix out-of-bounds write in flex item conversion
Next message (by thread): [PATCH v3] cmdline: prevent out-of-bounds read in completion buffer
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Wed, 10 Jun 2026 19:33:32 +0800
James Raphael Tiovalen <jamestiotio at gmail.com> wrote:

> rte_flow_conv() is documented to truncate output to the caller-supplied
> buffer size, but two paths handling variable-length trailing data
> ignored that contract and copied the full payload whenever the
> destination pointer was non-NULL. A caller passing a buffer just large
> enough for the fixed-size header had adjacent memory clobbered:
> 
> - GENEVE_OPT: up to option_len * 4 bytes
> - FLEX: up to 4 GiB, since src->length is a uint32_t and the API places
>   no bounds on it
> 
> Patch 1 aligns the GENEVE_OPT guard with the sibling RAW branch, which
> already gates its copy on the remaining buffer size.
> 
> Patch 2 plumbs the remaining buffer size into the flex-item desc_fn
> callback (which previously took no size argument at all) and gates the
> inner rte_memcpy() on it.
> 
> v2 fixes the merge conflict between patch 1 and the main branch.
> 
> James Raphael Tiovalen (2):
>   ethdev: fix out-of-bounds write in GENEVE option conversion
>   ethdev: fix out-of-bounds write in flex item conversion
> 
>  lib/ethdev/rte_flow.c | 11 ++++++-----
>  1 file changed, 6 insertions(+), 5 deletions(-)
> 

Applied to next-net, and added you to .mailmap

Previous message (by thread): [PATCH v2 2/2] ethdev: fix out-of-bounds write in flex item conversion
Next message (by thread): [PATCH v3] cmdline: prevent out-of-bounds read in completion buffer
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

More information about the dev mailing list