[PATCH] net/ixgbe: incorrect MAC/VLAN item validation for ntuple

Bruce Richardson bruce.richardson at intel.com
Tue May 5 17:19:26 CEST 2026

Previous message (by thread): [PATCH] devtools: fix regex matching literal plus in patches
Next message (by thread): [PATCH] net/i40e: validate DDP segment header before use
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Mon, Apr 27, 2026 at 06:16:04PM +0300, Daniil Iskhakov wrote:
> When parsing an ntuple filter, the code attempts to ensure that if the
> first item is ETH (or VLAN), its spec and mask must be NULL (i.e.
> zeroed structure). The current check is:
> 
>   if ((item->spec || item->mask) &&
>       (memcmp(spec, &null_struct, size) ||
>           memcmp(mask, &null_struct, size)))
> 
> This condition is logically incorrect. If item->spec points to a
> zero-filled structure and item->mask is NULL, memcmp(mask) would
> dereference a NULL pointer.
> 
> The intention os code is to reject any non‑zero spec or mask.
> 
> Split the check into two independent conditions for spec and mask.
> 
> Found by Linux Verification Center (linuxtesting.org) with SVACE.
> 
> Fixes: 46ea969177f3 ("net/ixgbe: add ntuple support to flow parser")
> Cc: stable at dpdk.org
> 
> Signed-off-by: Daniil Agalakov <ade at amicon.ru>
> Signed-off-by: Daniil Iskhakov <dish at amicon.ru>
> ---
> Cc: wei.zhao1 at intel.com
> Cc: sdl.dpdk at linuxtesting.org
> Cc: rrv at amicon.ru
> ---
>  drivers/net/intel/ixgbe/ixgbe_flow.c | 37 +++++++++++++++++-----------
>  1 file changed, 22 insertions(+), 15 deletions(-)
> 
> diff --git a/drivers/net/intel/ixgbe/ixgbe_flow.c b/drivers/net/intel/ixgbe/ixgbe_flow.c
> index 01cd4f9bde..9edfff413e 100644
> --- a/drivers/net/intel/ixgbe/ixgbe_flow.c
> +++ b/drivers/net/intel/ixgbe/ixgbe_flow.c
> @@ -238,14 +238,18 @@ cons_parse_ntuple_filter(const struct rte_flow_attr *attr,
>  
>  		}
>  		/* if the first item is MAC, the content should be NULL */
> -		if ((item->spec || item->mask) &&
> -			(memcmp(eth_spec, &eth_null,
> -				sizeof(struct rte_flow_item_eth)) ||
> -			 memcmp(eth_mask, &eth_null,
> -				sizeof(struct rte_flow_item_eth)))) {
> +		if (item->spec && memcmp(eth_spec, &eth_null,
> +			sizeof(struct rte_flow_item_eth))) {
>  			rte_flow_error_set(error, EINVAL,
> -				RTE_FLOW_ERROR_TYPE_ITEM,
> -				item, "Not supported by ntuple filter");
> +			  RTE_FLOW_ERROR_TYPE_ITEM,
> +			  item, "Not supported by ntuple filter");
> +			return -rte_errno;
> +		}
> +		if (item->mask && memcmp(eth_mask, &eth_null,
> +			sizeof(struct rte_flow_item_eth))) {
> +			rte_flow_error_set(error, EINVAL,
> +			  RTE_FLOW_ERROR_TYPE_ITEM,
> +			  item, "Not supported by ntuple filter");
>  			return -rte_errno;
>  		}
>  		/* check if the next not void item is IPv4 or Vlan */

This fix looks correct. However, the indentation is wrong according to DPDK
coding style. Feel free to use up to 100 columns for the text, no need to
wrap at 80 columns if line fits in 100. If indenting the line continuation,
use either a double indent or align with brackets [Yes, original code is
wrong here too]. Our coding standards also recommend that we explicitly put
the checks in to compare pointers explicitly against null, and integer
return values against zero, rather than implicitly converting them to bool
as here.

Finally, what do you think about keeping the checks as a single condition? i.e.

if ((item->spec != NULL && memcmp(eth_spec, &eth_null, sizeof(eth_null)) != 0) ||
		(item->mask != NULL && memcmp(....))) {
	....
}

Regards,
/Bruce

Previous message (by thread): [PATCH] devtools: fix regex matching literal plus in patches
Next message (by thread): [PATCH] net/i40e: validate DDP segment header before use
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

More information about the dev mailing list