Gitiles
Code Review Sign In
gerrit-public.fairphone.software / kernel / msm-4.9 / d8316f3991d207fe32881a9ac20241be8fa2bad0
commitd8316f3991d207fe32881a9ac20241be8fa2bad0[log] [tgz]
authorMichael S. Tsirkin <mst@redhat.com>Thu Mar 27 12:00:26 2014 +0200
committerDavid S. Miller <davem@davemloft.net>Fri Mar 28 16:07:31 2014 -0400
tree76802d9368e0115d9c53ac7cf0477b53011a4486
parent05efa8c943b1d5d90fa8c8147571837573338bb6 [diff]
vhost: fix total length when packets are too short

When mergeable buffers are disabled, and the
incoming packet is too large for the rx buffer,
get_rx_bufs returns success.

This was intentional in order for make recvmsg
truncate the packet and then handle_rx would
detect err != sock_len and drop it.

Unfortunately we pass the original sock_len to
recvmsg - which means we use parts of iov not fully
validated.

Fix this up by detecting this overrun and doing packet drop
immediately.

CVE-2014-0077

Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
1 file changed
tree: 76802d9368e0115d9c53ac7cf0477b53011a4486
  1. arch/
  2. block/
  3. crypto/
  4. Documentation/
  5. drivers/
  6. firmware/
  7. fs/
  8. include/
  9. init/
  10. ipc/
  11. kernel/
  12. lib/
  13. mm/
  14. net/
  15. samples/
  16. scripts/
  17. security/
  18. sound/
  19. tools/
  20. usr/
  21. virt/
  22. .gitignore
  23. .mailmap
  24. COPYING
  25. CREDITS
  26. Kbuild
  27. Kconfig
  28. MAINTAINERS
  29. Makefile
  30. README
  31. REPORTING-BUGS