When calulate memory size of an RTE_FLOW_ITEM_TYPE_RAW 's mask
mask->length is not the real size of binary pattern, it should take
spec->length, or memory size will be over counted (0xffff) and invalid
memory be access during following memcpy.
Fixes: d0ad8648b1c5 ("app/testpmd: fix RSS flow action configuration")
Signed-off-by: Qi Zhang <qi.z.zh...@intel.com>
---
app/test-pmd/config.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/app/test-pmd/config.c b/app/test-pmd/config.c
index 16fc481ce..bcaf429c4 100644
--- a/app/test-pmd/config.c
+++ b/app/test-pmd/config.c
@@ -1077,7 +1077,8 @@ flow_item_spec_copy(void *buf, const struct rte_flow_item
*item,
dst.raw = buf;
off = RTE_ALIGN_CEIL(sizeof(struct rte_flow_item_raw),
sizeof(*src.raw->pattern));
- size = off + src.raw->length * sizeof(*src.raw->pattern);
+ size = off + ((const struct rte_flow_item_raw *)item->spec)->
+ length * sizeof(*src.raw->pattern);
if (dst.raw) {
memcpy(dst.raw, src.raw, sizeof(*src.raw));
dst.raw->pattern = memcpy((uint8_t *)dst.raw + off,
--
2.13.6
