This patch prevents a NULL dereference when the user has passed a length longer than an actual buffer to virtio-net.
Cc: Rusty Russell <[email protected]> Cc: "Michael S. Tsirkin" <[email protected]> Cc: [email protected] Cc: [email protected] Cc: [email protected] Signed-off-by: Sasha Levin <[email protected]> --- drivers/net/virtio_net.c | 12 +++++++++++- 1 files changed, 11 insertions(+), 1 deletions(-) diff --git a/drivers/net/virtio_net.c b/drivers/net/virtio_net.c index bde0dec..4a53d2a 100644 --- a/drivers/net/virtio_net.c +++ b/drivers/net/virtio_net.c @@ -208,12 +208,22 @@ static struct sk_buff *page_to_skb(struct virtnet_info *vi, return NULL; } - while (len) { + while (len && page) { set_skb_frag(skb, page, offset, &len); page = (struct page *)page->private; offset = 0; } + /* + * This is the case where we ran out of pages in our linked list, but + * supposedly have more data to read. + */ + if (len > 0) { + pr_debug("%s: missing data to assemble skb\n", skb->dev->name); + dev_kfree_skb(skb); + return NULL; + } + if (page) give_pages(vi, page); -- 1.7.6.1 -- To unsubscribe from this list: send the line "unsubscribe kvm" in the body of a message to [email protected] More majordomo info at http://vger.kernel.org/majordomo-info.html
