rte_flow_conv_item_spec() is documented to truncate output to the
caller-supplied buffer size. For RTE_FLOW_ITEM_TYPE_GENEVE_OPT, the
deep-copy of the variable-length option data was gated on `size > 0`
instead of `size >= off + tmp`, the form used by the sibling RAW
branch. A caller passing a buffer just large enough for the header
struct had adjacent memory clobbered by up to `option_len * 4` bytes of
option payload.
Align the GENEVE_OPT guard with the RAW one.
Fixes: 841a0445442d ("ethdev: fix GENEVE option item conversion")
Cc: [email protected]
Signed-off-by: James Raphael Tiovalen <[email protected]>
---
lib/ethdev/rte_flow.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/lib/ethdev/rte_flow.c b/lib/ethdev/rte_flow.c
index fe8f43caff..63b686ddfb 100644
--- a/lib/ethdev/rte_flow.c
+++ b/lib/ethdev/rte_flow.c
@@ -697,7 +697,7 @@ rte_flow_conv_item_spec(void *buf, const size_t size,
src.geneve_opt = data;
dst.geneve_opt = buf;
tmp = spec.geneve_opt->option_len << 2;
- if (size > 0 && src.geneve_opt->data) {
+ if (size >= off + tmp && src.geneve_opt->data) {
deep_src = (void *)((uintptr_t)(dst.geneve_opt + 1));
dst.geneve_opt->data = rte_memcpy(deep_src,
src.geneve_opt->data,
--
2.43.0
