| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <4A7E9CCD.7000307@gmail.com> Date: Sun, 09 Aug 2009 11:54:21 +0200 From: Roel Kluin <roel.kluin@...il.com> To: netdev@...r.kernel.org, Andrew Morton <akpm@...ux-foundation.org>, yevgenyp@...lanox.co.il, davem@...emloft.net Subject: [PATCH] mlx4_en: Fix read buffer overflow in mlx4_en_complete_rx_desc() If the length is less or equal to frag_prefix_size in the first iteration we write skb_frags_rx[-1] and read from priv->frag_info[-1] Signed-off-by: Roel Kluin <roel.kluin@...il.com> --- diff --git a/drivers/net/mlx4/en_rx.c b/drivers/net/mlx4/en_rx.c index 91bdfdf..3ac0404 100644 --- a/drivers/net/mlx4/en_rx.c +++ b/drivers/net/mlx4/en_rx.c @@ -506,8 +506,9 @@ static int mlx4_en_complete_rx_desc(struct mlx4_en_priv *priv, PCI_DMA_FROMDEVICE); } /* Adjust size of last fragment to match actual length */ - skb_frags_rx[nr - 1].size = length - - priv->frag_info[nr - 1].frag_prefix_size; + if (nr > 0) + skb_frags_rx[nr - 1].size = length - + priv->frag_info[nr - 1].frag_prefix_size; return nr; fail: -- To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Powered by blists - more mailing lists