lk/linux-kernel-test
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

mlx4_en: Fix read buffer overflow in mlx4_en_complete_rx_desc()

Browse Source 
If the length is less or equal to frag_prefix_size in the first iteration
we write skb_frags_rx[-1] and read from priv->frag_info[-1]

Signed-off-by: Roel Kluin <roel.kluin@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
This commit is contained in:
roel kluin
2009-08-08 23:54:21 +00:00
committed by David S. Miller
parent be12159b24
commit 973507cb86
1 changed files with 3 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

1
drivers/net/mlx4/en_rx.c
View File

@@ -506,6 +506,7 @@ static int mlx4_en_complete_rx_desc(struct mlx4_en_priv *priv,
PCI_DMA_FROMDEVICE); PCI_DMA_FROMDEVICE);
} }
/* Adjust size of last fragment to match actual length */ /* Adjust size of last fragment to match actual length */
if (nr > 0)
skb_frags_rx[nr - 1].size = length - skb_frags_rx[nr - 1].size = length -
priv->frag_info[nr - 1].frag_prefix_size; priv->frag_info[nr - 1].frag_prefix_size;
return nr; return nr;