Skip to content

L
linux

xiphi1978 / linux

通知 2
Star 0
Fork 0
L
linux

体验新版 GitCode,发现更多精彩内容 >>

提交 973507cb 编写于 作者: R roel kluin 提交者: David S. Miller
浏览文件
操作

mlx4_en: Fix read buffer overflow in mlx4_en_complete_rx_desc() 

If the length is less or equal to frag_prefix_size in the first iteration
we write skb_frags_rx[-1] and read from priv->frag_info[-1]
Signed-off-by: NRoel Kluin <roel.kluin@gmail.com>
Signed-off-by: NDavid S. Miller <davem@davemloft.net>
上级 be12159b
隐藏空白更改
内联 并排
Showing with 3 addition and 2 deletion
drivers/net/mlx4/en_rx.c
浏览文件 @ 973507cb
......@@ -506,8 +506,9 @@ static int mlx4_en_complete_rx_desc(struct mlx4_en_priv *priv,
PCI_DMA_FROMDEVICE);
}
/* Adjust size of last fragment to match actual length */
skb_frags_rx[nr - 1].size = length -
priv->frag_info[nr - 1].frag_prefix_size;
if (nr > 0)
skb_frags_rx[nr - 1].size = length -
priv->frag_info[nr - 1].frag_prefix_size;
return nr;
fail:
......
Markdown is supported
0% .
You are about to add 0 people to the discussion. Proceed with caution.
先完成此消息的编辑!
想要评论请 注册