vhost: fix total length when packets are too short - linux

diff options

author	Michael S. Tsirkin <mst@redhat.com>	2014-03-27 11:00:26 +0100
committer	David S. Miller <davem@davemloft.net>	2014-03-28 21:07:31 +0100
commit	d8316f3991d207fe32881a9ac20241be8fa2bad0 (patch)
tree	76802d9368e0115d9c53ac7cf0477b53011a4486 /virt
parent	random32: avoid attempt to late reseed if in the middle of seeding (diff)
download	linux-d8316f3991d207fe32881a9ac20241be8fa2bad0.tar.xz linux-d8316f3991d207fe32881a9ac20241be8fa2bad0.zip

vhost: fix total length when packets are too short

When mergeable buffers are disabled, and the incoming packet is too large for the rx buffer, get_rx_bufs returns success. This was intentional in order for make recvmsg truncate the packet and then handle_rx would detect err != sock_len and drop it. Unfortunately we pass the original sock_len to recvmsg - which means we use parts of iov not fully validated. Fix this up by detecting this overrun and doing packet drop immediately. CVE-2014-0077 Signed-off-by: Michael S. Tsirkin <mst@redhat.com> Signed-off-by: David S. Miller <davem@davemloft.net>

Diffstat (limited to '')

0 files changed, 0 insertions, 0 deletions


context:
space:
mode: