+-- On Tue, 22 Dec 2015, Paolo Bonzini wrote --+
| > ===
| > diff --git a/hw/net/rocker/rocker.c b/hw/net/rocker/rocker.c
| > index c57f1a6..2e77e50 100644
| > --- a/hw/net/rocker/rocker.c
| > +++ b/hw/net/rocker/rocker.c
| > @@ -232,6 +232,9 @@ static int tx_consume(Rocker *r, DescInfo *info)
| >
On 22/12/2015 18:26, P J P wrote:
> +-- On Tue, 22 Dec 2015, Paolo Bonzini wrote --+
> | > -if (++iovcnt > ROCKER_TX_FRAGS_MAX) {
> | > +if (++iovcnt >= ROCKER_TX_FRAGS_MAX) {
> |
> | Doesn't this forbid some valid ROCKER_TX_FRAGS_MAX-element iovecs?
>
> forbid..? Sorry, I di
+-- On Tue, 22 Dec 2015, Paolo Bonzini wrote --+
| > -if (++iovcnt > ROCKER_TX_FRAGS_MAX) {
| > +if (++iovcnt >= ROCKER_TX_FRAGS_MAX) {
|
| Doesn't this forbid some valid ROCKER_TX_FRAGS_MAX-element iovecs?
forbid..? Sorry, I did not get the question.
| The check should be mov
On 22/12/2015 14:07, P J P wrote:
> Hello Scott, Jiri
>
> A stack overflow issue was reported by Mr Qinghao Tang, CC'd here. It
> occurs while processing transmit(tx) descriptors in tx_consume()
> routine. If a descriptor was to have more than
> allowed(ROCKER_TX_FRAGS_MAX=16) packet fragments
+-- On Tue, 22 Dec 2015, Jiri Pirko wrote --+
| >From f3461d8098a0572786f5a2d7a492863090c73134 Mon Sep 17 00:00:00 2001
| >From: Prasad J Pandit
| >Date: Tue, 22 Dec 2015 18:21:00 +0530
| >Subject: [PATCH] net: rocker: fix an incorrect array bounds check
| >
| >While processing transmit(tx) descri
Tue, Dec 22, 2015 at 02:07:01PM CET, ppan...@redhat.com wrote:
> Hello Scott, Jiri
>
>A stack overflow issue was reported by Mr Qinghao Tang, CC'd here. It occurs
>while processing transmit(tx) descriptors in tx_consume() routine. If a
>descriptor was to have more than allowed(ROCKER_TX_FRAGS_MAX=
Hello Scott, Jiri
A stack overflow issue was reported by Mr Qinghao Tang, CC'd here. It occurs
while processing transmit(tx) descriptors in tx_consume() routine. If a
descriptor was to have more than allowed(ROCKER_TX_FRAGS_MAX=16) packet
fragments, the processing loop suffers an off-by-one
