[dpdk-stable] [PATCH] net/mlx5: fix RSS action validation of queue idx

[Dekel Peled]

RSS action validation function checks the queues included in RSS
to make sure they are valid.
A Queue is considered valid if the pointer to the queue (item at
location queue-index of RxQ array) is not a null value.
The queue indices are not checked. If a large value is entered as
queue index, using it as an index in RxQ array will result in a
pointer to memory out of array bounds. If this memory contains a
value which is not null, this queue will be wrongly considered valid.

This patch updates function mlx5_flow_validate_action_rss() with
check of the input queue indices, as done in function
mlx5_flow_validate_action_queue().

Fixes: 23c1d42c7138 ("net/mlx5: split flow validation to dedicated function")
Cc: stable at dpdk.org

Signed-off-by: Dekel Peled <dekelp at mellanox.com>
---
 drivers/net/mlx5/mlx5_flow.c | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/drivers/net/mlx5/mlx5_flow.c b/drivers/net/mlx5/mlx5_flow.c
index 092f7b4..14a89e2 100644
--- a/drivers/net/mlx5/mlx5_flow.c
+++ b/drivers/net/mlx5/mlx5_flow.c
@@ -1151,6 +1151,11 @@ uint32_t mlx5_flow_adjust_priority(struct rte_eth_dev *dev, int32_t priority,
 					  RTE_FLOW_ERROR_TYPE_ACTION_CONF,
 					  NULL, "No queues configured");
 	for (i = 0; i != rss->queue_num; ++i) {
+		if (rss->queue[i] >= priv->rxqs_n)
+			return rte_flow_error_set
+				(error, EINVAL,
+				 RTE_FLOW_ERROR_TYPE_ACTION_CONF,
+				 &rss->queue[i], "queue index out of range");
 		if (!(*priv->rxqs)[rss->queue[i]])
 			return rte_flow_error_set
 				(error, EINVAL, RTE_FLOW_ERROR_TYPE_ACTION_CONF,
-- 
1.8.3.1