[PATCH 2/2] net/cpfl: validate fieldvector offsets before copying keys

Mon, 23 Mar 2026 01:19:16 -0700 

The CPFL JSON parser accepts fieldvector offsets and SEM key sizes straight 
from the input description. Reject offsets that would write past the 64-byte 
SEM fieldvector storage and reject key sizes that would later overread the 
fixed source buffer or overflow the destination key buffer.

Signed-off-by: Pengpeng Hou <[email protected]>
---
 drivers/net/intel/cpfl/cpfl_flow_engine_fxp.c |  6 ++++++
 drivers/net/intel/cpfl/cpfl_flow_parser.c     | 12 ++++++++++++
 2 files changed, 18 insertions(+)

diff --git a/drivers/net/intel/cpfl/cpfl_flow_engine_fxp.c 
b/drivers/net/intel/cpfl/cpfl_flow_engine_fxp.c
index 361827c..d0bd909 100644
--- a/drivers/net/intel/cpfl/cpfl_flow_engine_fxp.c
+++ b/drivers/net/intel/cpfl/cpfl_flow_engine_fxp.c
@@ -173,6 +173,12 @@ cpfl_fxp_parse_pattern(const struct cpfl_flow_pr_action 
*pr_action,
        if (pr_action->type == CPFL_JS_PR_ACTION_TYPE_SEM) {
                struct cpfl_rule_info *rinfo = &rim->rules[i];
 
+               if (pr_action->sem.keysize > 
sizeof(pr_action->sem.cpfl_flow_pr_fv) ||
+                   pr_action->sem.keysize > sizeof(rinfo->sem.key)) {
+                       PMD_DRV_LOG(ERR, "Invalid SEM key size.");
+                       return false;
+               }
+
                rinfo->type = CPFL_RULE_TYPE_SEM;
                rinfo->sem.prof_id = pr_action->sem.prof;
                rinfo->sem.sub_prof_id = pr_action->sem.subprof;
diff --git a/drivers/net/intel/cpfl/cpfl_flow_parser.c 
b/drivers/net/intel/cpfl/cpfl_flow_parser.c
index e7deb61..7fb2e7e 100644
--- a/drivers/net/intel/cpfl/cpfl_flow_parser.c
+++ b/drivers/net/intel/cpfl/cpfl_flow_parser.c
@@ -323,6 +323,10 @@ cpfl_flow_js_pattern_act_fv_proto(json_t *ob_value, struct 
cpfl_flow_js_fv *js_f
                PMD_DRV_LOG(ERR, "Can not parse 'offset'.");
                return -EINVAL;
        }
+       if (offset >= CPFL_JS_SEM_FV_KEY_NUM_MAX / 2) {
+               PMD_DRV_LOG(ERR, "The 'offset' is too large.");
+               return -EINVAL;
+       }
        ret = cpfl_json_t_to_uint16(ob_value, "mask", &mask);
        if (ret < 0) {
                PMD_DRV_LOG(ERR, "Can not parse 'mask'.");
@@ -391,6 +395,10 @@ cpfl_flow_js_pattern_act_fv(json_t *ob_fvs, struct 
cpfl_flow_js_pr_action *js_ac
                        PMD_DRV_LOG(ERR, "Can not parse 'offset'.");
                        goto err;
                }
+               if (offset >= CPFL_JS_SEM_FV_KEY_NUM_MAX / 2) {
+                       PMD_DRV_LOG(ERR, "The 'offset' is too large.");
+                       goto err;
+               }
                js_fv->offset = offset;
 
                type = cpfl_json_t_to_string(object, "type");
@@ -454,6 +462,10 @@ cpfl_flow_js_pattern_per_act(json_t *ob_per_act, struct 
cpfl_flow_js_pr_action *
                        PMD_DRV_LOG(ERR, "Can not parse 'keysize'.");
                        return -EINVAL;
                }
+               if (js_act->sem.keysize > sizeof(js_act->sem.cpfl_flow_pr_fv)) {
+                       PMD_DRV_LOG(ERR, "The 'keysize' is too large.");
+                       return -EINVAL;
+               }
                ob_fvs = json_object_get(ob_sem, "fieldvectors");
                ret = cpfl_flow_js_pattern_act_fv(ob_fvs, js_act);
                if (ret < 0)
-- 
2.50.1 (Apple Git-155)

Reply via email to