On Wed, 10 Jun 2026 19:33:32 +0800 James Raphael Tiovalen <[email protected]> wrote:
> rte_flow_conv() is documented to truncate output to the caller-supplied > buffer size, but two paths handling variable-length trailing data > ignored that contract and copied the full payload whenever the > destination pointer was non-NULL. A caller passing a buffer just large > enough for the fixed-size header had adjacent memory clobbered: > > - GENEVE_OPT: up to option_len * 4 bytes > - FLEX: up to 4 GiB, since src->length is a uint32_t and the API places > no bounds on it > > Patch 1 aligns the GENEVE_OPT guard with the sibling RAW branch, which > already gates its copy on the remaining buffer size. > > Patch 2 plumbs the remaining buffer size into the flex-item desc_fn > callback (which previously took no size argument at all) and gates the > inner rte_memcpy() on it. > > v2 fixes the merge conflict between patch 1 and the main branch. > > James Raphael Tiovalen (2): > ethdev: fix out-of-bounds write in GENEVE option conversion > ethdev: fix out-of-bounds write in flex item conversion > > lib/ethdev/rte_flow.c | 11 ++++++----- > 1 file changed, 6 insertions(+), 5 deletions(-) > Applied to next-net, and added you to .mailmap
