Re: [PATCHv2 net] vhost: fix total length when packets are too short

From: David Miller <davem@davemloft.net>
Date: 2014-03-28 20:09:44
Also in: kvm, lkml, virtualization

From: "Michael S. Tsirkin" <mst@redhat.com>
Date: Thu, 27 Mar 2014 12:00:26 +0200

When mergeable buffers are disabled, and the
incoming packet is too large for the rx buffer,
get_rx_bufs returns success.

This was intentional in order for make recvmsg
truncate the packet and then handle_rx would
detect err != sock_len and drop it.

Unfortunately we pass the original sock_len to
recvmsg - which means we use parts of iov not fully
validated.

Fix this up by detecting this overrun and doing packet drop
immediately.

CVE-2014-0077

Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
---

Changes from v1:
	Fix CVE# in the commit log.
	Patch is unchanged.

Note: this is needed for -stable.

Applied and queued up for -stable.

I wonder if this can still make the release.

I will try but no promises.

`h`	back out one level
`j`	next message in thread
`k`	previous message in thread
`l`	drill in
`Esc`	close help / fold thread tree
`?`	toggle this help