Commit 973507cb authored by roel kluin's avatar roel kluin Committed by David S. Miller

mlx4_en: Fix read buffer overflow in mlx4_en_complete_rx_desc()

If the length is less or equal to frag_prefix_size in the first iteration
we write skb_frags_rx[-1] and read from priv->frag_info[-1]
Signed-off-by: default avatarRoel Kluin <roel.kluin@gmail.com>
Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
parent be12159b
......@@ -506,6 +506,7 @@ static int mlx4_en_complete_rx_desc(struct mlx4_en_priv *priv,
PCI_DMA_FROMDEVICE);
}
/* Adjust size of last fragment to match actual length */
if (nr > 0)
skb_frags_rx[nr - 1].size = length -
priv->frag_info[nr - 1].frag_prefix_size;
return nr;
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment