Acked-by: Nithin Dabilpuram <[email protected]>
On Thu, Feb 5, 2026 at 11:34 PM Stephen Hemminger <[email protected]> wrote: > > The nix_inl_reass_inb_sa_tbl_setup() function initializes inb_sa_sz > to 1 byte, then allocates a buffer of that size. However, the buffer > is subsequently passed to roc_ow_reass_inb_sa_init() which performs: > > memset(sa, 0, sizeof(struct roc_ow_ipsec_inb_sa)); > > This writes 808 bytes into a 1-byte allocation, causing heap corruption. > > This bug was detected by GCC's -Wstringop-overflow warning when > building with LTO, which enables cross-compilation-unit inlining > and allows the compiler to track the allocation size through to > the memset call. > > Fix by initializing inb_sa_sz to ROC_NIX_INL_OW_IPSEC_INB_SA_SZ, > which is the standard macro used elsewhere in this file for OW > (Sobek) inbound SA allocations. > > Bugzilla ID: 1513 > Fixes: fc9a711b5c8f ("common/cnxk: add NIX inline reassembly profile config") > Cc: [email protected] > Cc: [email protected] > > Signed-off-by: Stephen Hemminger <[email protected]> > --- > drivers/common/cnxk/roc_nix_inl.c | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > > diff --git a/drivers/common/cnxk/roc_nix_inl.c > b/drivers/common/cnxk/roc_nix_inl.c > index f8be98efd5..1766f68c17 100644 > --- a/drivers/common/cnxk/roc_nix_inl.c > +++ b/drivers/common/cnxk/roc_nix_inl.c > @@ -583,7 +583,7 @@ nix_inl_reass_inb_sa_tbl_setup(struct roc_nix *roc_nix) > uint64_t sa_idx_w, lenm1_max; > uint64_t res_addr_offset = 0; > uint64_t def_cptq = 0; > - size_t inb_sa_sz = 1; > + size_t inb_sa_sz = ROC_NIX_INL_OW_IPSEC_INB_SA_SZ; > uint8_t profile_id; > struct mbox *mbox; > void *sa; > -- > 2.51.0 >
