From patchwork Mon Dec 1 16:04:50 2014 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: "Michael S. Tsirkin" X-Patchwork-Id: 416495 X-Patchwork-Delegate: davem@davemloft.net Return-Path: X-Original-To: patchwork-incoming@ozlabs.org Delivered-To: patchwork-incoming@ozlabs.org Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by ozlabs.org (Postfix) with ESMTP id 89D5514017F for ; Tue, 2 Dec 2014 03:14:25 +1100 (AEDT) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1754444AbaLAQFM (ORCPT ); Mon, 1 Dec 2014 11:05:12 -0500 Received: from mx1.redhat.com ([209.132.183.28]:43909 "EHLO mx1.redhat.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1754426AbaLAQFK (ORCPT ); Mon, 1 Dec 2014 11:05:10 -0500 Received: from int-mx11.intmail.prod.int.phx2.redhat.com (int-mx11.intmail.prod.int.phx2.redhat.com [10.5.11.24]) by mx1.redhat.com (8.14.4/8.14.4) with ESMTP id sB1G4tHB029565 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=FAIL); Mon, 1 Dec 2014 11:04:56 -0500 Received: from redhat.com (ovpn-116-42.ams2.redhat.com [10.36.116.42]) by int-mx11.intmail.prod.int.phx2.redhat.com (8.14.4/8.14.4) with SMTP id sB1G4pRj004887; Mon, 1 Dec 2014 11:04:52 -0500 Date: Mon, 1 Dec 2014 18:04:50 +0200 From: "Michael S. Tsirkin" To: linux-kernel@vger.kernel.org Cc: David Miller , cornelia.huck@de.ibm.com, rusty@au1.ibm.com, nab@linux-iscsi.org, pbonzini@redhat.com, thuth@linux.vnet.ibm.com, dahi@linux.vnet.ibm.com, Jason Wang , Rusty Russell , virtualization@lists.linux-foundation.org, netdev@vger.kernel.org Subject: [PATCH v8 25/50] virtio_net: stricter short buffer length checks Message-ID: <1417449619-24896-26-git-send-email-mst@redhat.com> References: <1417449619-24896-1-git-send-email-mst@redhat.com> MIME-Version: 1.0 Content-Disposition: inline In-Reply-To: <1417449619-24896-1-git-send-email-mst@redhat.com> X-Mutt-Fcc: =sent X-Scanned-By: MIMEDefang 2.68 on 10.5.11.24 Sender: netdev-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: netdev@vger.kernel.org Our buffer length check is not strict enough for mergeable buffers: buffer can still be shorter that header + address by 2 bytes. Fix that up. Signed-off-by: Michael S. Tsirkin Reviewed-by: Cornelia Huck Reviewed-by: Jason Wang --- drivers/net/virtio_net.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/net/virtio_net.c b/drivers/net/virtio_net.c index 516f2cb..098f443 100644 --- a/drivers/net/virtio_net.c +++ b/drivers/net/virtio_net.c @@ -437,7 +437,7 @@ static void receive_buf(struct virtnet_info *vi, struct receive_queue *rq, struct sk_buff *skb; struct virtio_net_hdr_mrg_rxbuf *hdr; - if (unlikely(len < sizeof(struct virtio_net_hdr) + ETH_HLEN)) { + if (unlikely(len < vi->hdr_len + ETH_HLEN)) { pr_debug("%s: short packet %i\n", dev->name, len); dev->stats.rx_length_errors++; if (vi->mergeable_rx_bufs) {