net/mlx5: fix RSS action validation of queue idx
Checks
Commit Message
RSS action validation function checks the queues included in RSS
to make sure they are valid.
A Queue is considered valid if the pointer to the queue (item at
location queue-index of RxQ array) is not a null value.
The queue indices are not checked. If a large value is entered as
queue index, using it as an index in RxQ array will result in a
pointer to memory out of array bounds. If this memory contains a
value which is not null, this queue will be wrongly considered valid.
This patch updates function mlx5_flow_validate_action_rss() with
check of the input queue indices, as done in function
mlx5_flow_validate_action_queue().
Fixes: 23c1d42c7138 ("net/mlx5: split flow validation to dedicated function")
Cc: stable@dpdk.org
Signed-off-by: Dekel Peled <dekelp@mellanox.com>
---
drivers/net/mlx5/mlx5_flow.c | 5 +++++
1 file changed, 5 insertions(+)
Comments
From: Dekel Peled
> RSS action validation function checks the queues included in RSS to make
> sure they are valid.
> A Queue is considered valid if the pointer to the queue (item at location
> queue-index of RxQ array) is not a null value.
> The queue indices are not checked. If a large value is entered as queue
> index, using it as an index in RxQ array will result in a pointer to memory out
> of array bounds. If this memory contains a value which is not null, this queue
> will be wrongly considered valid.
>
> This patch updates function mlx5_flow_validate_action_rss() with check of
> the input queue indices, as done in function
> mlx5_flow_validate_action_queue().
>
> Fixes: 23c1d42c7138 ("net/mlx5: split flow validation to dedicated function")
> Cc: stable@dpdk.org
Acked-by: Matan Azrad <matan@mellanox.com>
Hi,
> -----Original Message-----
> From: dev <dev-bounces@dpdk.org> On Behalf Of Dekel Peled
> Sent: Monday, November 11, 2019 4:33 PM
> To: Matan Azrad <matan@mellanox.com>; Shahaf Shuler
> <shahafs@mellanox.com>; Slava Ovsiienko <viacheslavo@mellanox.com>
> Cc: Ori Kam <orika@mellanox.com>; dev@dpdk.org; stable@dpdk.org
> Subject: [dpdk-dev] [PATCH] net/mlx5: fix RSS action validation of queue idx
>
> RSS action validation function checks the queues included in RSS
> to make sure they are valid.
> A Queue is considered valid if the pointer to the queue (item at
> location queue-index of RxQ array) is not a null value.
> The queue indices are not checked. If a large value is entered as
> queue index, using it as an index in RxQ array will result in a
> pointer to memory out of array bounds. If this memory contains a
> value which is not null, this queue will be wrongly considered valid.
>
> This patch updates function mlx5_flow_validate_action_rss() with
> check of the input queue indices, as done in function
> mlx5_flow_validate_action_queue().
>
> Fixes: 23c1d42c7138 ("net/mlx5: split flow validation to dedicated function")
> Cc: stable@dpdk.org
>
> Signed-off-by: Dekel Peled <dekelp@mellanox.com>
> ---
> drivers/net/mlx5/mlx5_flow.c | 5 +++++
> 1 file changed, 5 insertions(+)
>
Patch applied to next-net-mlx,
Kindest regards,
Raslan Darawsheh
@@ -1151,6 +1151,11 @@ uint32_t mlx5_flow_adjust_priority(struct rte_eth_dev *dev, int32_t priority,
RTE_FLOW_ERROR_TYPE_ACTION_CONF,
NULL, "No queues configured");
for (i = 0; i != rss->queue_num; ++i) {
+ if (rss->queue[i] >= priv->rxqs_n)
+ return rte_flow_error_set
+ (error, EINVAL,
+ RTE_FLOW_ERROR_TYPE_ACTION_CONF,
+ &rss->queue[i], "queue index out of range");
if (!(*priv->rxqs)[rss->queue[i]])
return rte_flow_error_set
(error, EINVAL, RTE_FLOW_ERROR_TYPE_ACTION_CONF,