> -----Original Message-----
> From: Yongseok Koh
> Sent: Monday, October 8, 2018 9:02 PM
> To: Shahaf Shuler <shah...@mellanox.com>
> Cc: dev@dpdk.org; Yongseok Koh <ys...@mellanox.com>; Ori Kam
> <or...@mellanox.com>
> Subject: [PATCH 4/7] net/mlx5: fix validation of VLAN ID in flow spec
>
> This can cause crash by null pointer reference.
>
> Fixes: 4f07e13d6af5 ("net/mlx5: split flow validation to dedicated function")
> Cc: Ori Kam <or...@mellanox.com>
>
> Signed-off-by: Yongseok Koh <ys...@mellanox.com>
> ---
> drivers/net/mlx5/mlx5_flow.c | 7 ++++++-
> 1 file changed, 6 insertions(+), 1 deletion(-)
>
> diff --git a/drivers/net/mlx5/mlx5_flow.c b/drivers/net/mlx5/mlx5_flow.c
> index 69afd4625..c497cacce 100644
> --- a/drivers/net/mlx5/mlx5_flow.c
> +++ b/drivers/net/mlx5/mlx5_flow.c
> @@ -1012,6 +1012,7 @@ mlx5_flow_validate_item_vlan(const struct
> rte_flow_item *item,
> .tci = RTE_BE16(0x0fff),
> .inner_type = RTE_BE16(0xffff),
> };
> + uint16_t vlan_tag = 0;
> const int tunnel = !!(item_flags & MLX5_FLOW_LAYER_TUNNEL);
> int ret;
> const uint32_t l34m = tunnel ? (MLX5_FLOW_LAYER_INNER_L3 |
> @@ -1037,11 +1038,15 @@ mlx5_flow_validate_item_vlan(const struct
> rte_flow_item *item,
> error);
> if (ret)
> return ret;
> + if (spec) {
> + vlan_tag = spec->tci;
> + vlan_tag &= mask->tci;
> + }
> /*
> * From verbs perspective an empty VLAN is equivalent
> * to a packet without VLAN layer.
> */
> - if (!spec->tci)
> + if (!vlan_tag)
> return rte_flow_error_set(error, EINVAL,
>
> RTE_FLOW_ERROR_TYPE_ITEM_SPEC,
> item->spec,
> --
> 2.11.0
Acked-by: Ori Kam <or...@mellanox.com>
Thanks,
Ori Kam
