summaryrefslogtreecommitdiffstats
path: root/mm/page-writeback.c
diff options
context:
space:
mode:
authorMichael S. Tsirkin <mst@redhat.com>2014-03-27 12:00:26 +0200
committerDavid S. Miller <davem@davemloft.net>2014-03-28 16:07:31 -0400
commitd8316f3991d207fe32881a9ac20241be8fa2bad0 (patch)
tree76802d9368e0115d9c53ac7cf0477b53011a4486 /mm/page-writeback.c
parent05efa8c943b1d5d90fa8c8147571837573338bb6 (diff)
vhost: fix total length when packets are too short
When mergeable buffers are disabled, and the incoming packet is too large for the rx buffer, get_rx_bufs returns success. This was intentional in order for make recvmsg truncate the packet and then handle_rx would detect err != sock_len and drop it. Unfortunately we pass the original sock_len to recvmsg - which means we use parts of iov not fully validated. Fix this up by detecting this overrun and doing packet drop immediately. CVE-2014-0077 Signed-off-by: Michael S. Tsirkin <mst@redhat.com> Signed-off-by: David S. Miller <davem@davemloft.net>
Diffstat (limited to 'mm/page-writeback.c')
0 files changed, 0 insertions, 0 deletions