[PATCH] net/mlx5: fix stack-buffer-overflow in indexed based rules

Maayan Kashani mkashani at nvidia.com
Wed Jul 30 09:16:59 CEST 2025

Previous message (by thread): patch 'examples/ipsec-secgw: fix number of queue pairs' has been queued to stable release 23.11.5
Next message (by thread): please help backporting some patches to stable release 23.11.5
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

During asynchronous flow creation by index,
the items array was initialized with only one element,
but the table metadata did not update the item count accordingly.
This mismatch led to an out-of-bounds memcpy operation,
as the code attempted to copy more elements than were actually allocated.

To resolve this, since item matching is disregarded when inserting a
rule by index (the rule is triggered when a packet reaches the
specified index),
the fix is to skip preparing the items array in this case.
Instead, the items array should only contain a single element,
RTE_FLOW_ITEM_TYPE_END, which indicates no match pattern is needed.
This prevents unsafe memory operations and aligns the array size
with its intended usage.

Fixes: 36c379c82e82 ("net/mlx5: add flow rule insertion by index with pattern")
Cc: stable at dpdk.org

Signed-off-by: Maayan Kashani <mkashani at nvidia.com>
Acked-by: Dariusz Sosnowski <dsosnowski at nvidia.com>
---
 drivers/net/mlx5/mlx5_flow_hw.c | 12 ++++++++----
 1 file changed, 8 insertions(+), 4 deletions(-)

diff --git a/drivers/net/mlx5/mlx5_flow_hw.c b/drivers/net/mlx5/mlx5_flow_hw.c
index 6dc16f80d32..016370f68bf 100644
--- a/drivers/net/mlx5/mlx5_flow_hw.c
+++ b/drivers/net/mlx5/mlx5_flow_hw.c
@@ -3982,10 +3982,14 @@ flow_hw_async_flow_create_generic(struct rte_eth_dev *dev,
 				      flow->table, actions,
 				      rule_acts, queue, &sub_error))
 		goto error;
-	rule_items = flow_hw_get_rule_items(dev, table, items,
-					    pattern_template_index, &priv->hw_q[queue].pp);
-	if (!rule_items)
-		goto error;
+	if (insertion_type == RTE_FLOW_TABLE_INSERTION_TYPE_INDEX) {
+		rule_items = items;
+	} else {
+		rule_items = flow_hw_get_rule_items(dev, table, items,
+						    pattern_template_index, &priv->hw_q[queue].pp);
+		if (!rule_items)
+			goto error;
+	}
 	if (likely(!rte_flow_template_table_resizable(dev->data->port_id, &table->cfg.attr))) {
 		ret = mlx5dr_rule_create(table->matcher_info[0].matcher,
 					 pattern_template_index, rule_items,
-- 
2.21.0

Previous message (by thread): patch 'examples/ipsec-secgw: fix number of queue pairs' has been queued to stable release 23.11.5
Next message (by thread): please help backporting some patches to stable release 23.11.5
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

More information about the stable mailing list