Function mlx5_rxq_get_type() uses the input queue index, without
checking it, as index to the Rx queues array.
If this value is too high, it will result in pointer to memory out
of Rx queues array bounds.
This patch adds check of the input queue index, to verify it is valid.
Fixes: 09775c04aace ("net/mlx5: split hairpin flows")
Cc: or...@mellanox.com
Signed-off-by: Dekel Peled <dek...@mellanox.com>
---
drivers/net/mlx5/mlx5_rxq.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/net/mlx5/mlx5_rxq.c b/drivers/net/mlx5/mlx5_rxq.c
index 24d0eaa..f9b36ed 100644
--- a/drivers/net/mlx5/mlx5_rxq.c
+++ b/drivers/net/mlx5/mlx5_rxq.c
@@ -2113,7 +2113,7 @@ enum mlx5_rxq_type
struct mlx5_priv *priv = dev->data->dev_private;
struct mlx5_rxq_ctrl *rxq_ctrl = NULL;
- if ((*priv->rxqs)[idx]) {
+ if (idx < priv->rxqs_n && (*priv->rxqs)[idx]) {
rxq_ctrl = container_of((*priv->rxqs)[idx],
struct mlx5_rxq_ctrl,
rxq);
--
1.8.3.1
