[PATCH] net/mlx5: fix heap-buffer-overflow in sample group match

public inbox for dev@dpdk.org
 help / color / mirror / Atom feed

* [PATCH] net/mlx5: fix heap-buffer-overflow in sample group match
@ 2026-03-15  8:44 Shani Peretz
  2026-03-24 12:26 ` Raslan Darawsheh
  0 siblings, 1 reply; 2+ messages in thread
From: Shani Peretz @ 2026-03-15  8:44 UTC (permalink / raw)
  To: dev
  Cc: rasland, Shani Peretz, stable, Dariusz Sosnowski,
	Viacheslav Ovsiienko, Bing Zhao, Ori Kam, Suanming Mou,
	Matan Azrad, Gregory Etelson

The cached group match callback compares serialized actions
using memcmp with the size of the new actions buffer.
When the new actions serialize to a larger buffer than an existing
cached entry, memcmp reads past the cached entry's heap allocation,
causing a heap-buffer-overflow detected by AddressSanitizer.

Add a size comparison before the memcmp so that entries with
different serialized sizes are rejected as non-matching immediately,
avoiding the out-of-bounds read.

Fixes: d986f04d6529 ("net/mlx5: add functions for non-template flow sample")
Cc: stable@dpdk.org

Signed-off-by: Shani Peretz <shperetz@nvidia.com>
Acked-by: Dariusz Sosnowski <dsosnowski@nvidia.com>
---
 drivers/net/mlx5/mlx5_nta_sample.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/drivers/net/mlx5/mlx5_nta_sample.c b/drivers/net/mlx5/mlx5_nta_sample.c
index c637b0ede3..158720fb87 100644
--- a/drivers/net/mlx5/mlx5_nta_sample.c
+++ b/drivers/net/mlx5/mlx5_nta_sample.c
@@ -293,6 +293,8 @@ mlx5_nta_sample_cached_group_match(void *cache_ctx __rte_unused,
 		container_of(entry, struct mlx5_nta_sample_cached_group, entry);
 	if (actions_size < 0)
 		return ~0;
+	if ((size_t)actions_size != cached_obj->actions_size)
+		return ~0;
 	return memcmp(cached_obj->actions, obj_ctx->actions, actions_size);
 }
 
-- 
2.34.1


^ permalink raw reply related	[flat|nested] 2+ messages in thread

* Re: [PATCH] net/mlx5: fix heap-buffer-overflow in sample group match
  2026-03-15  8:44 [PATCH] net/mlx5: fix heap-buffer-overflow in sample group match Shani Peretz
@ 2026-03-24 12:26 ` Raslan Darawsheh
  0 siblings, 0 replies; 2+ messages in thread
From: Raslan Darawsheh @ 2026-03-24 12:26 UTC (permalink / raw)
  To: Shani Peretz, dev
  Cc: stable, Dariusz Sosnowski, Viacheslav Ovsiienko, Bing Zhao,
	Ori Kam, Suanming Mou, Matan Azrad, Gregory Etelson

Hi,


On 15/03/2026 10:44 AM, Shani Peretz wrote:
> The cached group match callback compares serialized actions
> using memcmp with the size of the new actions buffer.
> When the new actions serialize to a larger buffer than an existing
> cached entry, memcmp reads past the cached entry's heap allocation,
> causing a heap-buffer-overflow detected by AddressSanitizer.
> 
> Add a size comparison before the memcmp so that entries with
> different serialized sizes are rejected as non-matching immediately,
> avoiding the out-of-bounds read.
> 
> Fixes: d986f04d6529 ("net/mlx5: add functions for non-template flow sample")
> Cc: stable@dpdk.org
> 
> Signed-off-by: Shani Peretz <shperetz@nvidia.com>
> Acked-by: Dariusz Sosnowski <dsosnowski@nvidia.com>

Patch applied to next-net-mlx,

Kindest regards
Raslan Darawsheh


^ permalink raw reply	[flat|nested] 2+ messages in thread

end of thread, other threads:[~2026-03-24 12:26 UTC | newest]

Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2026-03-15  8:44 [PATCH] net/mlx5: fix heap-buffer-overflow in sample group match Shani Peretz
2026-03-24 12:26 ` Raslan Darawsheh

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox