[dpdk-stable] [PATCH] net/mlx5: fix RSS action validation of queue idx
Dekel Peled
dekelp at mellanox.com
Mon Nov 11 15:32:31 CET 2019
RSS action validation function checks the queues included in RSS
to make sure they are valid.
A Queue is considered valid if the pointer to the queue (item at
location queue-index of RxQ array) is not a null value.
The queue indices are not checked. If a large value is entered as
queue index, using it as an index in RxQ array will result in a
pointer to memory out of array bounds. If this memory contains a
value which is not null, this queue will be wrongly considered valid.
This patch updates function mlx5_flow_validate_action_rss() with
check of the input queue indices, as done in function
mlx5_flow_validate_action_queue().
Fixes: 23c1d42c7138 ("net/mlx5: split flow validation to dedicated function")
Cc: stable at dpdk.org
Signed-off-by: Dekel Peled <dekelp at mellanox.com>
---
drivers/net/mlx5/mlx5_flow.c | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/drivers/net/mlx5/mlx5_flow.c b/drivers/net/mlx5/mlx5_flow.c
index 092f7b4..14a89e2 100644
--- a/drivers/net/mlx5/mlx5_flow.c
+++ b/drivers/net/mlx5/mlx5_flow.c
@@ -1151,6 +1151,11 @@ uint32_t mlx5_flow_adjust_priority(struct rte_eth_dev *dev, int32_t priority,
RTE_FLOW_ERROR_TYPE_ACTION_CONF,
NULL, "No queues configured");
for (i = 0; i != rss->queue_num; ++i) {
+ if (rss->queue[i] >= priv->rxqs_n)
+ return rte_flow_error_set
+ (error, EINVAL,
+ RTE_FLOW_ERROR_TYPE_ACTION_CONF,
+ &rss->queue[i], "queue index out of range");
if (!(*priv->rxqs)[rss->queue[i]])
return rte_flow_error_set
(error, EINVAL, RTE_FLOW_ERROR_TYPE_ACTION_CONF,
--
1.8.3.1
More information about the stable
mailing list