From 97127d429876b6ac817de65c6e3c1c2d17851bfe Mon Sep 17 00:00:00 2001 From: Dekel Peled Date: Mon, 11 Nov 2019 16:32:31 +0200 Subject: [PATCH] net/mlx5: fix check of RSS queue index RSS action validation function checks the queues included in RSS to make sure they are valid. A Queue is considered valid if the pointer to the queue (item at location queue-index of RxQ array) is not a null value. The queue indices are not checked. If a large value is entered as queue index, using it as an index in RxQ array will result in a pointer to memory out of array bounds. If this memory contains a value which is not null, this queue will be wrongly considered valid. This patch updates function mlx5_flow_validate_action_rss() with check of the input queue indices, as done in function mlx5_flow_validate_action_queue(). Fixes: 23c1d42c7138 ("net/mlx5: split flow validation to dedicated function") Cc: stable@dpdk.org Signed-off-by: Dekel Peled Acked-by: Matan Azrad --- drivers/net/mlx5/mlx5_flow.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/drivers/net/mlx5/mlx5_flow.c b/drivers/net/mlx5/mlx5_flow.c index 092f7b4c4f..14a89e2e3b 100644 --- a/drivers/net/mlx5/mlx5_flow.c +++ b/drivers/net/mlx5/mlx5_flow.c @@ -1151,6 +1151,11 @@ mlx5_flow_validate_action_rss(const struct rte_flow_action *action, RTE_FLOW_ERROR_TYPE_ACTION_CONF, NULL, "No queues configured"); for (i = 0; i != rss->queue_num; ++i) { + if (rss->queue[i] >= priv->rxqs_n) + return rte_flow_error_set + (error, EINVAL, + RTE_FLOW_ERROR_TYPE_ACTION_CONF, + &rss->queue[i], "queue index out of range"); if (!(*priv->rxqs)[rss->queue[i]]) return rte_flow_error_set (error, EINVAL, RTE_FLOW_ERROR_TYPE_ACTION_CONF, -- 2.20.1