Ross Lagerwall 534fc31d09 xen/netback: Fix buffer overrun triggered by unusual packet ... It is possible that a guest can send a packet that contains a head + 18 slots and yet has a len <= XEN_NETBACK_TX_COPY_LEN. This causes nr_slots to underflow in xenvif_get_requests() which then causes the subsequent loop's termination condition to be wrong, causing a buffer overrun of queue->tx_map_ops. Rework the code to account for the extra frag_overflow slots. This is CVE-2023-34319 / XSA-432. Fixes: ad7f402ae4 ("xen/netback: Ensure protocol headers don't fall in the non-linear area") Signed-off-by: Ross Lagerwall <ross.lagerwall@citrix.com> Reviewed-by: Paul Durrant <paul@xen.org> Reviewed-by: Wei Liu <wei.liu@kernel.org> Signed-off-by: Juergen Gross <jgross@suse.com>		2023-08-03 09:04:08 +02:00
..
common.h	xen/netback: don't do grant copy across page boundary	2023-03-28 14:16:40 +02:00
hash.c	treewide: Use fallthrough pseudo-keyword	2020-08-23 17:36:59 -05:00
interface.c	xen/netback: don't call kfree_skb() with interrupts disabled	2022-12-06 16:00:33 +01:00
Makefile	treewide: Add SPDX license identifier - Makefile/Kconfig	2019-05-21 10:50:46 +02:00
netback.c	xen/netback: Fix buffer overrun triggered by unusual packet	2023-08-03 09:04:08 +02:00
rx.c	xen/netback: don't call kfree_skb() with interrupts disabled	2022-12-06 16:00:33 +01:00
xenbus.c	driver core: make struct bus_type.uevent() take a const *	2023-01-27 13:45:52 +01:00