Michael S. Tsirkin f78f1512ec vhost: fix total length when packets are too short ...

[ Upstream commit d8316f3991 ]

When mergeable buffers are disabled, and the
incoming packet is too large for the rx buffer,
get_rx_bufs returns success.

This was intentional in order for make recvmsg
truncate the packet and then handle_rx would
detect err != sock_len and drop it.

Unfortunately we pass the original sock_len to
recvmsg - which means we use parts of iov not fully
validated.

Fix this up by detecting this overrun and doing packet drop
immediately.

CVE-2014-0077

Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

2014-04-14 06:42:18 -07:00

..

Kconfig

Merge tag 'virtio-next-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/rusty/linux

2013-05-02 14:14:04 -07:00

Makefile

Merge tag 'virtio-next-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/rusty/linux

2013-05-02 14:14:04 -07:00

net.c

vhost: fix total length when packets are too short

2014-04-14 06:42:18 -07:00

scsi.c

vhost/scsi: Fix incorrect usage of get_user_pages_fast write parameter

2013-11-13 12:05:32 +09:00

test.c

Merge tag 'virtio-next-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/rusty/linux

2013-05-02 14:14:04 -07:00

test.h

vhost test module

2010-12-09 16:00:21 +02:00

vhost.c

vhost: check owner before we overwrite ubuf_info

2013-06-11 02:46:21 -07:00

vhost.h

vhost: check owner before we overwrite ubuf_info

2013-06-11 02:46:21 -07:00

vringh.c

Add missing module license tag to vring helpers.

2013-05-08 10:49:03 +09:30