diff options
authorSuanming Mou <>2019-11-26 16:08:35 +0200
committerFerruh Yigit <>2019-11-26 18:22:27 +0100
commit4a73c86ff616498768aa77ebad8115f99feff2aa (patch)
parent4acb96fd52e9f2a76e8c6ed3e4f2cdb2feb0f230 (diff)
net/mlx5: fix crash on GRE flow rule parsing
When set the GRE item, GRE key should follow after GRE header, or the header gre_item pointer used by the key will be invalid. Currently in the mlx5_flow_validate_item_gre_key() function, the header gre_item pointer is access before checking if the key is after the header or not. Once the key item is before the header, invalid gre_item pointer access happens. Move the gre_item pointer access after the GRE header check to avoid the crash issue. Fixes: a7a0365565a4 ("net/mlx5: match GRE key and present bits") Cc: Signed-off-by: Suanming Mou <> Acked-by: Ori Kam <>
1 files changed, 4 insertions, 2 deletions
diff --git a/drivers/net/mlx5/mlx5_flow.c b/drivers/net/mlx5/mlx5_flow.c
index 65a0e65..5c78ea7 100644
--- a/drivers/net/mlx5/mlx5_flow.c
+++ b/drivers/net/mlx5/mlx5_flow.c
@@ -1998,8 +1998,8 @@ mlx5_flow_validate_item_gre_key(const struct rte_flow_item *item,
const rte_be32_t *mask = item->mask;
int ret = 0;
rte_be32_t gre_key_default_mask = RTE_BE32(UINT32_MAX);
- const struct rte_flow_item_gre *gre_spec = gre_item->spec;
- const struct rte_flow_item_gre *gre_mask = gre_item->mask;
+ const struct rte_flow_item_gre *gre_spec;
+ const struct rte_flow_item_gre *gre_mask;
if (item_flags & MLX5_FLOW_LAYER_GRE_KEY)
return rte_flow_error_set(error, ENOTSUP,
@@ -2013,8 +2013,10 @@ mlx5_flow_validate_item_gre_key(const struct rte_flow_item *item,
return rte_flow_error_set(error, ENOTSUP,
"GRE key following a wrong item");
+ gre_mask = gre_item->mask;
if (!gre_mask)
gre_mask = &rte_flow_item_gre_mask;
+ gre_spec = gre_item->spec;
if (gre_spec && (gre_mask->c_rsvd0_ver & RTE_BE16(0x2000)) &&
!(gre_spec->c_rsvd0_ver & RTE_BE16(0x2000)))
return rte_flow_error_set(error, EINVAL,