|SUCCESS| [v2] ethdev: fix pointer check in GENEVE and RAW flow copy

dpdklab at iol.unh.edu dpdklab at iol.unh.edu
Tue May 19 20:14:46 CEST 2026

Previous message (by thread): |Smoke |SUCCESS| pw(164151-164153) sid(38173) job(PER_PATCH_BUILD18840-20260519230756) [3/3] net/i40e/base: update version info
Next message (by thread): |SUCCESS| pw164089-164089 Description: SUCCESS
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Test-Label: ai-code-review
Test-Status: SUCCESS
https://dpdk.org/patch/164135

_AI Code Review_

=== Patch Review: series.patch (via Claude) ===
Review date: 2026-05-19

git sha: Unavailable from patch format
Author: Denis Lyulin <lyulin.2003 at mail.ru>
Subject: [PATCH v2] ethdev: fix pointer check in GENEVE and RAW flow copy

This patch addresses NULL pointer dereference issues in
rte_flow_conv_item_spec() for GENEVE_OPT and RAW item types when the spec
pointer is NULL but last or mask pointers are valid.

> diff --git a/lib/ethdev/rte_flow.c b/lib/ethdev/rte_flow.c
> index fe8f43caff..7a51b667cf 100644
> --- a/lib/ethdev/rte_flow.c
> +++ b/lib/ethdev/rte_flow.c
> @@ -672,13 +672,17 @@ rte_flow_conv_item_spec(void *buf, const size_t size,
>  			   }),
>  			   size > sizeof(*dst.raw) ? sizeof(*dst.raw) : size);
>  		off = sizeof(*dst.raw);
> -		if (type == RTE_FLOW_CONV_ITEM_SPEC ||
> -		    (type == RTE_FLOW_CONV_ITEM_MASK &&
> -		     ((spec.raw->length & mask.raw->length) >=
> -		      (last.raw->length & mask.raw->length))))

The original logic dereferences spec.raw unconditionally in the
RTE_FLOW_CONV_ITEM_MASK case. Does this code properly handle the case
where spec.raw is NULL but mask.raw is valid?

> +		if (type == RTE_FLOW_CONV_ITEM_SPEC && spec.raw)
>  			tmp = spec.raw->length & mask.raw->length;

In this branch, when type is RTE_FLOW_CONV_ITEM_SPEC, does the code
correctly handle the case where spec.raw is NULL? The original code did
not check spec.raw for NULL in this path.

> +		else if (type == RTE_FLOW_CONV_ITEM_MASK && spec.raw && last.raw &&
> +			 ((spec.raw->length & mask.raw->length) >=
> +			  (last.raw->length & mask.raw->length)))
> +			tmp = spec.raw->length & mask.raw->length;

Does this code properly handle the scenario where mask.raw is NULL?
The mask.raw->length field is accessed without verifying mask.raw is
non-NULL.

> +		else if (last.raw)
>  			tmp = last.raw->length & mask.raw->length;

In this branch, when last.raw is non-NULL but mask.raw is NULL, does
this dereference mask.raw->length cause a NULL pointer dereference?

> +		else
> +			tmp = 0;
> +
>  		if (tmp) {
>  			off = RTE_ALIGN_CEIL(off, sizeof(*dst.raw->pattern));
>  			if (size >= off + tmp) {
> @@ -696,8 +700,8 @@ rte_flow_conv_item_spec(void *buf, const size_t size,
>  		spec.geneve_opt = item->spec;
>  		src.geneve_opt = data;
>  		dst.geneve_opt = buf;
> -		tmp = spec.geneve_opt->option_len << 2;
> -		if (size > 0 && src.geneve_opt->data) {
> +		tmp = spec.geneve_opt ? (spec.geneve_opt->option_len << 2) : 0;
> +		if (size > 0 && tmp > 0 && src.geneve_opt->data) {

When spec.geneve_opt is NULL, does src.geneve_opt->data correctly handle
this? The src.geneve_opt is assigned from data parameter and might not be
NULL even when spec.geneve_opt is NULL.

>  			deep_src = (void *)((uintptr_t)(dst.geneve_opt + 1));
>  			dst.geneve_opt->data = rte_memcpy(deep_src,
>  							  src.geneve_opt->data,

Previous message (by thread): |Smoke |SUCCESS| pw(164151-164153) sid(38173) job(PER_PATCH_BUILD18840-20260519230756) [3/3] net/i40e/base: update version info
Next message (by thread): |SUCCESS| pw164089-164089 Description: SUCCESS
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

More information about the test-report mailing list