net/cxgbe: fix illegal memory access when parsing flow match items

Message ID 1535374411-6363-1-git-send-email-rahul.lakkireddy@chelsio.com
State Accepted, archived
Delegated to: Ferruh Yigit
Headers show
Series
  • net/cxgbe: fix illegal memory access when parsing flow match items
Related show

Checks

Context Check Description
ci/Intel-compilation success Compilation OK
ci/checkpatch success coding style OK

Commit Message

Rahul Lakkireddy Aug. 27, 2018, 12:53 p.m.
From: Shagun Agrawal <shaguna@chelsio.com>

Coverity issue: 293096
Fixes: ee61f511 ("net/cxgbe: parse and validate flows")
Cc: stable@dpdk.org

Signed-off-by: Shagun Agrawal <shaguna@chelsio.com>
Signed-off-by: Rahul Lakkireddy <rahul.lakkireddy@chelsio.com>
---
 drivers/net/cxgbe/cxgbe_flow.c | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

Comments

Ferruh Yigit Sept. 3, 2018, 4:36 p.m. | #1
On 8/27/2018 1:53 PM, Rahul Lakkireddy wrote:
> From: Shagun Agrawal <shaguna@chelsio.com>
> 
> Coverity issue: 293096
> Fixes: ee61f511 ("net/cxgbe: parse and validate flows")
> Cc: stable@dpdk.org
> 
> Signed-off-by: Shagun Agrawal <shaguna@chelsio.com>
> Signed-off-by: Rahul Lakkireddy <rahul.lakkireddy@chelsio.com>

Applied to dpdk-next-net/master, thanks.

Patch

diff --git a/drivers/net/cxgbe/cxgbe_flow.c b/drivers/net/cxgbe/cxgbe_flow.c
index add4f0f95..bee3bd640 100644
--- a/drivers/net/cxgbe/cxgbe_flow.c
+++ b/drivers/net/cxgbe/cxgbe_flow.c
@@ -529,10 +529,10 @@  cxgbe_rtef_parse_items(struct rte_flow *flow,
 	char repeat[ARRAY_SIZE(parseitem)] = {0};
 
 	for (i = items; i->type != RTE_FLOW_ITEM_TYPE_END; i++) {
-		struct chrte_fparse *idx = &flow->item_parser[i->type];
+		struct chrte_fparse *idx;
 		int ret;
 
-		if (i->type > ARRAY_SIZE(parseitem))
+		if (i->type >= ARRAY_SIZE(parseitem))
 			return rte_flow_error_set(e, ENOTSUP,
 						  RTE_FLOW_ERROR_TYPE_ITEM,
 						  i, "Item not supported");
@@ -553,6 +553,7 @@  cxgbe_rtef_parse_items(struct rte_flow *flow,
 			if (ret)
 				return ret;
 
+			idx = &flow->item_parser[i->type];
 			if (!idx || !idx->fptr) {
 				return rte_flow_error_set(e, ENOTSUP,
 						RTE_FLOW_ERROR_TYPE_ITEM, i,