[PATCH 1/2] ethdev: fix out-of-bounds write in GENEVE option conversion

Stephen Hemminger stephen at networkplumber.org
Wed May 27 17:38:42 CEST 2026

Previous message (by thread): [PATCH 1/2] ethdev: fix out-of-bounds write in GENEVE option conversion
Next message (by thread): [PATCH 2/2] ethdev: fix out-of-bounds write in flex item conversion
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Wed, 27 May 2026 02:11:58 +0800
James Raphael Tiovalen <jamestiotio at gmail.com> wrote:

> rte_flow_conv_item_spec() is documented to truncate output to the
> caller-supplied buffer size. For RTE_FLOW_ITEM_TYPE_GENEVE_OPT, the
> deep-copy of the variable-length option data was gated on `size > 0`
> instead of `size >= off + tmp`, the form used by the sibling RAW
> branch. A caller passing a buffer just large enough for the header
> struct had adjacent memory clobbered by up to `option_len * 4` bytes of
> option payload.
> 
> Align the GENEVE_OPT guard with the RAW one.
> 
> Fixes: 841a0445442d ("ethdev: fix GENEVE option item conversion")
> Cc: stable at dpdk.org
> 
> Signed-off-by: James Raphael Tiovalen <jamestiotio at gmail.com>
> ---

Does not apply to current main branch.
There were recent fixes in this area.
Rebase and resubmit please.

Previous message (by thread): [PATCH 1/2] ethdev: fix out-of-bounds write in GENEVE option conversion
Next message (by thread): [PATCH 2/2] ethdev: fix out-of-bounds write in flex item conversion
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

More information about the dev mailing list