[PATCH 0/2] ethdev: fix out-of-bounds writes in rte_flow_conv()

James Raphael Tiovalen jamestiotio at gmail.com
Tue May 26 20:11:57 CEST 2026

Previous message (by thread): [PATCH v2 6/6] eal/memory: add page size VA limits EAL parameter
Next message (by thread): [PATCH 1/2] ethdev: fix out-of-bounds write in GENEVE option conversion
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

rte_flow_conv() is documented to truncate output to the caller-supplied
buffer size, but two paths handling variable-length trailing data
ignored that contract and copied the full payload whenever the
destination pointer was non-NULL. A caller passing a buffer just large
enough for the fixed-size header had adjacent memory clobbered:

- GENEVE_OPT: up to option_len * 4 bytes
- FLEX: up to 4 GiB, since src->length is a uint32_t and the API places
  no bounds on it

Patch 1 aligns the GENEVE_OPT guard with the sibling RAW branch, which
already gates its copy on the remaining buffer size.

Patch 2 plumbs the remaining buffer size into the flex-item desc_fn
callback (which previously took no size argument at all) and gates the
inner rte_memcpy() on it.

James Raphael Tiovalen (2):
  ethdev: fix out-of-bounds write in GENEVE option conversion
  ethdev: fix out-of-bounds write in flex item conversion

 lib/ethdev/rte_flow.c | 11 ++++++-----
 1 file changed, 6 insertions(+), 5 deletions(-)

-- 
2.43.0

Previous message (by thread): [PATCH v2 6/6] eal/memory: add page size VA limits EAL parameter
Next message (by thread): [PATCH 1/2] ethdev: fix out-of-bounds write in GENEVE option conversion
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

More information about the dev mailing list