On 3/9/2026 2:28 PM, Ciara Loftus wrote:
When a RTE_FLOW_ITEM_TYPE_RAW item is used with a non-zero length and a NULL pattern pointer in either the spec or mask, a segfault occurs as the pattern bytes are accessed unconditionally in a loop. Add NULL checks for both spec->pattern and mask->pattern before entering the loop that uses those fields.Bugzilla ID: 1155 Fixes: 6ced3dd72f5f ("net/i40e: support flexible payload parsing for FDIR") Cc: [email protected] Signed-off-by: Ciara Loftus <[email protected]> --- drivers/net/intel/i40e/i40e_flow.c | 18 ++++++++++++++++++ 1 file changed, 18 insertions(+) diff --git a/drivers/net/intel/i40e/i40e_flow.c b/drivers/net/intel/i40e/i40e_flow.c index 2374b9bbca..6ad3013573 100644 --- a/drivers/net/intel/i40e/i40e_flow.c +++ b/drivers/net/intel/i40e/i40e_flow.c @@ -2350,6 +2350,24 @@ i40e_flow_parse_fdir_pattern(struct rte_eth_dev *dev, return -rte_errno; }+ if (raw_spec->length != 0) {+ if (raw_spec->pattern == NULL) { + rte_flow_error_set(error, EINVAL, + RTE_FLOW_ERROR_TYPE_ITEM, + item, + "NULL RAW spec pattern"); + return -rte_errno; + } + + if (raw_mask->pattern == NULL) { + rte_flow_error_set(error, EINVAL, + RTE_FLOW_ERROR_TYPE_ITEM, + item, + "NULL RAW mask pattern"); + return -rte_errno; + } + } + for (i = 0; i < raw_spec->length; i++) { j = i + next_dst_off; if (j >= RTE_ETH_FDIR_MAX_FLEXLEN ||
Maybe also check if raw_mask length matches raw_spec? Otherwise, Acked-by: Anatoly Burakov <[email protected]> -- Thanks, Anatoly
