When parsing an ntuple filter, the code attempts to ensure that if the
first item is ETH or VLAN, its spec and mask are either absent or
contain only zero fields. The current check is:
if ((item->spec || item->mask) &&
(memcmp(spec, &null_struct, size) ||
memcmp(mask, &null_struct, size)))
This condition is logically incorrect. If item->spec points to a
zero-filled structure and item->mask is NULL, memcmp(mask) would
dereference a NULL pointer.
The intended behavior is to reject any non-zero spec or mask.
Guard each memcmp() call with a check of the corresponding pointer while
keeping a single error path.
Found by Linux Verification Center (linuxtesting.org) with SVACE.
Fixes: 46ea969177f3 ("net/ixgbe: add ntuple support to flow parser")
Cc: [email protected]
Signed-off-by: Daniil Agalakov <[email protected]>
Signed-off-by: Daniil Iskhakov <[email protected]>
---
v2:
- Kept spec/mask validation as a single condition.
- Added explicit comparisons against NULL and zero.
- Fixed continuation indentation.
- Fixed the commit message.
Cc: [email protected]
Cc: [email protected]
Cc: [email protected]
---
drivers/net/intel/ixgbe/ixgbe_flow.c | 25 ++++++++-----------------
1 file changed, 8 insertions(+), 17 deletions(-)
diff --git a/drivers/net/intel/ixgbe/ixgbe_flow.c
b/drivers/net/intel/ixgbe/ixgbe_flow.c
index 01cd4f9bde..a855cbfbd2 100644
--- a/drivers/net/intel/ixgbe/ixgbe_flow.c
+++ b/drivers/net/intel/ixgbe/ixgbe_flow.c
@@ -238,14 +238,10 @@ cons_parse_ntuple_filter(const struct rte_flow_attr *attr,
}
/* if the first item is MAC, the content should be NULL */
- if ((item->spec || item->mask) &&
- (memcmp(eth_spec, ð_null,
- sizeof(struct rte_flow_item_eth)) ||
- memcmp(eth_mask, ð_null,
- sizeof(struct rte_flow_item_eth)))) {
- rte_flow_error_set(error, EINVAL,
- RTE_FLOW_ERROR_TYPE_ITEM,
- item, "Not supported by ntuple filter");
+ if ((item->spec != NULL && memcmp(eth_spec, ð_null,
sizeof(eth_null)) != 0) ||
+ (item->mask != NULL && memcmp(eth_mask, ð_null,
sizeof(eth_null)) != 0)) {
+ rte_flow_error_set(error, EINVAL,
RTE_FLOW_ERROR_TYPE_ITEM, item,
+ "Not supported by ntuple filter");
return -rte_errno;
}
/* check if the next not void item is IPv4 or Vlan */
@@ -271,15 +267,10 @@ cons_parse_ntuple_filter(const struct rte_flow_attr *attr,
return -rte_errno;
}
/* the content should be NULL */
- if ((item->spec || item->mask) &&
- (memcmp(vlan_spec, &vlan_null,
- sizeof(struct rte_flow_item_vlan)) ||
- memcmp(vlan_mask, &vlan_null,
- sizeof(struct rte_flow_item_vlan)))) {
-
- rte_flow_error_set(error, EINVAL,
- RTE_FLOW_ERROR_TYPE_ITEM,
- item, "Not supported by ntuple filter");
+ if ((item->spec != NULL && memcmp(vlan_spec, &vlan_null,
sizeof(vlan_null)) != 0) ||
+ (item->mask != NULL && memcmp(vlan_mask, &vlan_null,
sizeof(vlan_null)) != 0)) {
+ rte_flow_error_set(error, EINVAL,
RTE_FLOW_ERROR_TYPE_ITEM, item,
+ "Not supported by ntuple filter");
return -rte_errno;
}
/* check if the next not void item is IPv4 */
--
2.43.0
