diff options
author | Michael S. Tsirkin <mst@redhat.com> | 2014-03-27 12:00:26 +0200 |
---|---|---|
committer | David S. Miller <davem@davemloft.net> | 2014-03-28 16:07:31 -0400 |
commit | d8316f3991d207fe32881a9ac20241be8fa2bad0 (patch) | |
tree | 76802d9368e0115d9c53ac7cf0477b53011a4486 /mm | |
parent | 05efa8c943b1d5d90fa8c8147571837573338bb6 (diff) |
vhost: fix total length when packets are too short
When mergeable buffers are disabled, and the
incoming packet is too large for the rx buffer,
get_rx_bufs returns success.
This was intentional in order for make recvmsg
truncate the packet and then handle_rx would
detect err != sock_len and drop it.
Unfortunately we pass the original sock_len to
recvmsg - which means we use parts of iov not fully
validated.
Fix this up by detecting this overrun and doing packet drop
immediately.
CVE-2014-0077
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Diffstat (limited to 'mm')
0 files changed, 0 insertions, 0 deletions