rte_pmd_i40e_get_ddp_info() retrieves the I40E segment header with
i40e_find_segment_in_package(). That helper may return NULL if the
segment cannot be found.
The returned pointer is validated only in one code path, while other
branches use it without checking. This can lead to a NULL pointer
dereference when parsing a malformed or incomplete DDP package.
Move the NULL check right before the segment usage so it applies to all
request types needed.
Found by Linux Verification Center (linuxtesting.org) with SVACE.
Fixes: edeab742edac ("net/i40e: get information about DDP profile")
Cc: [email protected]
Signed-off-by: Daniil Agalakov <[email protected]>
Signed-off-by: Daniil Iskhakov <[email protected]>
---
Cc: [email protected]
Cc: [email protected]
Cc: [email protected]
---
drivers/net/intel/i40e/rte_pmd_i40e.c | 10 +++++-----
1 file changed, 5 insertions(+), 5 deletions(-)
diff --git a/drivers/net/intel/i40e/rte_pmd_i40e.c
b/drivers/net/intel/i40e/rte_pmd_i40e.c
index 4fdef9464b..78b1f1f12d 100644
--- a/drivers/net/intel/i40e/rte_pmd_i40e.c
+++ b/drivers/net/intel/i40e/rte_pmd_i40e.c
@@ -1878,6 +1878,11 @@ int rte_pmd_i40e_get_ddp_info(uint8_t *pkg_buff,
uint32_t pkg_size,
return I40E_SUCCESS;
}
+ if (!i40e_seg_hdr) {
+ PMD_DRV_LOG(ERR, "Failed to find i40e segment header");
+ return -EINVAL;
+ }
+
/* get i40e segment header info */
if (type == RTE_PMD_I40E_PKG_INFO_HEADER) {
struct rte_pmd_i40e_profile_info *info =
@@ -1893,11 +1898,6 @@ int rte_pmd_i40e_get_ddp_info(uint8_t *pkg_buff,
uint32_t pkg_size,
return -EINVAL;
}
- if (!i40e_seg_hdr) {
- PMD_DRV_LOG(ERR, "Failed to find i40e segment header");
- return -EINVAL;
- }
-
memset(info, 0, sizeof(struct rte_pmd_i40e_profile_info));
info->owner = RTE_PMD_I40E_DDP_OWNER_UNKNOWN;
info->track_id =
--
2.43.0
