[PATCH] net/ixgbe: incorrect MAC/VLAN item validation for ntuple

Daniil Iskhakov dish at amicon.ru
Mon Apr 27 17:16:04 CEST 2026

Previous message (by thread): [PATCH v2] app/test-pmd: terminate process on second signal
Next message (by thread): [PATCH v2] cmdline: prevent out-of-bounds read in completion buffer
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

When parsing an ntuple filter, the code attempts to ensure that if the
first item is ETH (or VLAN), its spec and mask must be NULL (i.e.
zeroed structure). The current check is:

  if ((item->spec || item->mask) &&
      (memcmp(spec, &null_struct, size) ||
          memcmp(mask, &null_struct, size)))

This condition is logically incorrect. If item->spec points to a
zero-filled structure and item->mask is NULL, memcmp(mask) would
dereference a NULL pointer.

The intention os code is to reject any non‑zero spec or mask.

Split the check into two independent conditions for spec and mask.

Found by Linux Verification Center (linuxtesting.org) with SVACE.

Fixes: 46ea969177f3 ("net/ixgbe: add ntuple support to flow parser")
Cc: stable at dpdk.org

Signed-off-by: Daniil Agalakov <ade at amicon.ru>
Signed-off-by: Daniil Iskhakov <dish at amicon.ru>
---
Cc: wei.zhao1 at intel.com
Cc: sdl.dpdk at linuxtesting.org
Cc: rrv at amicon.ru
---
 drivers/net/intel/ixgbe/ixgbe_flow.c | 37 +++++++++++++++++-----------
 1 file changed, 22 insertions(+), 15 deletions(-)

diff --git a/drivers/net/intel/ixgbe/ixgbe_flow.c b/drivers/net/intel/ixgbe/ixgbe_flow.c
index 01cd4f9bde..9edfff413e 100644
--- a/drivers/net/intel/ixgbe/ixgbe_flow.c
+++ b/drivers/net/intel/ixgbe/ixgbe_flow.c
@@ -238,14 +238,18 @@ cons_parse_ntuple_filter(const struct rte_flow_attr *attr,
 
 		}
 		/* if the first item is MAC, the content should be NULL */
-		if ((item->spec || item->mask) &&
-			(memcmp(eth_spec, &eth_null,
-				sizeof(struct rte_flow_item_eth)) ||
-			 memcmp(eth_mask, &eth_null,
-				sizeof(struct rte_flow_item_eth)))) {
+		if (item->spec && memcmp(eth_spec, &eth_null,
+			sizeof(struct rte_flow_item_eth))) {
 			rte_flow_error_set(error, EINVAL,
-				RTE_FLOW_ERROR_TYPE_ITEM,
-				item, "Not supported by ntuple filter");
+			  RTE_FLOW_ERROR_TYPE_ITEM,
+			  item, "Not supported by ntuple filter");
+			return -rte_errno;
+		}
+		if (item->mask && memcmp(eth_mask, &eth_null,
+			sizeof(struct rte_flow_item_eth))) {
+			rte_flow_error_set(error, EINVAL,
+			  RTE_FLOW_ERROR_TYPE_ITEM,
+			  item, "Not supported by ntuple filter");
 			return -rte_errno;
 		}
 		/* check if the next not void item is IPv4 or Vlan */
@@ -271,15 +275,18 @@ cons_parse_ntuple_filter(const struct rte_flow_attr *attr,
 			return -rte_errno;
 		}
 		/* the content should be NULL */
-		if ((item->spec || item->mask) &&
-			(memcmp(vlan_spec, &vlan_null,
-				sizeof(struct rte_flow_item_vlan)) ||
-			 memcmp(vlan_mask, &vlan_null,
-				sizeof(struct rte_flow_item_vlan)))) {
-
+		if (item->spec && memcmp(vlan_spec, &vlan_null,
+			sizeof(struct rte_flow_item_vlan))) {
 			rte_flow_error_set(error, EINVAL,
-				RTE_FLOW_ERROR_TYPE_ITEM,
-				item, "Not supported by ntuple filter");
+			  RTE_FLOW_ERROR_TYPE_ITEM,
+			  item, "Not supported by ntuple filter");
+			return -rte_errno;
+		}
+		if (item->mask && memcmp(vlan_mask, &vlan_null,
+			sizeof(struct rte_flow_item_vlan))) {
+			rte_flow_error_set(error, EINVAL,
+			  RTE_FLOW_ERROR_TYPE_ITEM,
+			  item, "Not supported by ntuple filter");
 			return -rte_errno;
 		}
 		/* check if the next not void item is IPv4 */
-- 
2.43.0

Previous message (by thread): [PATCH v2] app/test-pmd: terminate process on second signal
Next message (by thread): [PATCH v2] cmdline: prevent out-of-bounds read in completion buffer
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

More information about the stable mailing list