From: Or Cohen
commit acf69c946233259ab4d64f8869d4037a198c7f06 upstream.
Using tp_reserve to calculate netoff can overflow as
tp_reserve is unsigned int and netoff is unsigned short.
This may lead to macoff receving a smaller value then
sizeof(struct virtio_net_hdr), and if po->has_vnet_hdr
is
Hi,
On Fri, Sep 04, 2020 at 04:36:48PM +0200, gre...@linuxfoundation.org wrote:
> On Fri, Sep 04, 2020 at 02:22:46PM +, Nuernberger, Stefan wrote:
> > On Fri, 2020-09-04 at 16:16 +0200, Greg Kroah-Hartman wrote:
> > > On Fri, Sep 04, 2020 at 03:30:52PM +0200, Stefan Nuernberger wrote:
> > > >
On Fri, Sep 04, 2020 at 02:22:46PM +, Nuernberger, Stefan wrote:
> On Fri, 2020-09-04 at 16:16 +0200, Greg Kroah-Hartman wrote:
> > On Fri, Sep 04, 2020 at 03:30:52PM +0200, Stefan Nuernberger wrote:
> > >
> > > From: Or Cohen
> > >
> > > Using tp_reserve to calculate netoff can overflow as
On Fri, 2020-09-04 at 16:16 +0200, Greg Kroah-Hartman wrote:
> On Fri, Sep 04, 2020 at 03:30:52PM +0200, Stefan Nuernberger wrote:
> >
> > From: Or Cohen
> >
> > Using tp_reserve to calculate netoff can overflow as
> > tp_reserve is unsigned int and netoff is unsigned short.
> >
> > This may le
On Fri, Sep 04, 2020 at 03:30:52PM +0200, Stefan Nuernberger wrote:
> From: Or Cohen
>
> Using tp_reserve to calculate netoff can overflow as
> tp_reserve is unsigned int and netoff is unsigned short.
>
> This may lead to macoff receving a smaller value then
> sizeof(struct virtio_net_hdr), and
From: Or Cohen
Using tp_reserve to calculate netoff can overflow as
tp_reserve is unsigned int and netoff is unsigned short.
This may lead to macoff receving a smaller value then
sizeof(struct virtio_net_hdr), and if po->has_vnet_hdr
is set, an out-of-bounds write will occur when
calling virtio_
