rte_flow_conv() is documented to truncate output to the caller-supplied buffer size, but two paths handling variable-length trailing data ignored that contract and copied the full payload whenever the destination pointer was non-NULL. A caller passing a buffer just large enough for the fixed-size header had adjacent memory clobbered:
- GENEVE_OPT: up to option_len * 4 bytes - FLEX: up to 4 GiB, since src->length is a uint32_t and the API places no bounds on it Patch 1 aligns the GENEVE_OPT guard with the sibling RAW branch, which already gates its copy on the remaining buffer size. Patch 2 plumbs the remaining buffer size into the flex-item desc_fn callback (which previously took no size argument at all) and gates the inner rte_memcpy() on it. James Raphael Tiovalen (2): ethdev: fix out-of-bounds write in GENEVE option conversion ethdev: fix out-of-bounds write in flex item conversion lib/ethdev/rte_flow.c | 11 ++++++----- 1 file changed, 6 insertions(+), 5 deletions(-) -- 2.43.0
