The cached group match callback compares serialized actions
using memcmp with the size of the new actions buffer.
When the new actions serialize to a larger buffer than an existing
cached entry, memcmp reads past the cached entry's heap allocation,
causing a heap-buffer-overflow detected by AddressSanitizer.
Add a size comparison before the memcmp so that entries with
different serialized sizes are rejected as non-matching immediately,
avoiding the out-of-bounds read.
Fixes: d986f04d6529 ("net/mlx5: add functions for non-template flow sample")
Cc: [email protected]
Signed-off-by: Shani Peretz <[email protected]>
Acked-by: Dariusz Sosnowski <[email protected]>
---
drivers/net/mlx5/mlx5_nta_sample.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/drivers/net/mlx5/mlx5_nta_sample.c
b/drivers/net/mlx5/mlx5_nta_sample.c
index c637b0ede3..158720fb87 100644
--- a/drivers/net/mlx5/mlx5_nta_sample.c
+++ b/drivers/net/mlx5/mlx5_nta_sample.c
@@ -293,6 +293,8 @@ mlx5_nta_sample_cached_group_match(void *cache_ctx
__rte_unused,
container_of(entry, struct mlx5_nta_sample_cached_group, entry);
if (actions_size < 0)
return ~0;
+ if ((size_t)actions_size != cached_obj->actions_size)
+ return ~0;
return memcmp(cached_obj->actions, obj_ctx->actions, actions_size);
}
--
2.34.1
