git.ipfire.org Git - people/arne

author	Michael S. Tsirkin <mst@redhat.com>
	Thu, 27 Mar 2014 10:00:26 +0000 (12:00 +0200)
committer	Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	Sun, 27 Apr 2014 00:13:17 +0000 (17:13 -0700)
commit	20a51abb07a34a3af96b4fffac08022763f74c93
tree	b860b9cd77e981e3420e207d60f9f64ef862f93c	tree \| snapshot
parent	4b6da9193692acfe4889cb0a6050239cc613f756	commit \| diff

vhost: fix total length when packets are too short

[ Upstream commit d8316f3991d207fe32881a9ac20241be8fa2bad0 ]

When mergeable buffers are disabled, and the
incoming packet is too large for the rx buffer,
get_rx_bufs returns success.

This was intentional in order for make recvmsg
truncate the packet and then handle_rx would
detect err != sock_len and drop it.

Unfortunately we pass the original sock_len to
recvmsg - which means we use parts of iov not fully
validated.

Fix this up by detecting this overrun and doing packet drop
immediately.

CVE-2014-0077

Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>