diff options
| author | Ross Lagerwall <ross.lagerwall@citrix.com> | 2023-08-03 08:41:22 +0200 |
|---|---|---|
| committer | Juergen Gross <jgross@suse.com> | 2023-08-03 09:04:08 +0200 |
| commit | 534fc31d09b706a16d83533e16b5dc855caf7576 (patch) | |
| tree | 78f0abcc04ca238f4b6598737ed79bf476d4832b /scripts/gdb/linux/lists.py | |
| parent | ec351c8f2e6211054e51e661589cddd1fe856425 (diff) | |
xen/netback: Fix buffer overrun triggered by unusual packet
It is possible that a guest can send a packet that contains a head + 18
slots and yet has a len <= XEN_NETBACK_TX_COPY_LEN. This causes nr_slots
to underflow in xenvif_get_requests() which then causes the subsequent
loop's termination condition to be wrong, causing a buffer overrun of
queue->tx_map_ops.
Rework the code to account for the extra frag_overflow slots.
This is CVE-2023-34319 / XSA-432.
Fixes: ad7f402ae4f4 ("xen/netback: Ensure protocol headers don't fall in the non-linear area")
Signed-off-by: Ross Lagerwall <ross.lagerwall@citrix.com>
Reviewed-by: Paul Durrant <paul@xen.org>
Reviewed-by: Wei Liu <wei.liu@kernel.org>
Signed-off-by: Juergen Gross <jgross@suse.com>
Diffstat (limited to 'scripts/gdb/linux/lists.py')
0 files changed, 0 insertions, 0 deletions