Ross Lagerwall fa5b932b77 xen/netback: Fix buffer overrun triggered by unusual packet ... commit 534fc31d09b706a16d83533e16b5dc855caf7576 upstream. It is possible that a guest can send a packet that contains a head + 18 slots and yet has a len <= XEN_NETBACK_TX_COPY_LEN. This causes nr_slots to underflow in xenvif_get_requests() which then causes the subsequent loop's termination condition to be wrong, causing a buffer overrun of queue->tx_map_ops. Rework the code to account for the extra frag_overflow slots. This is CVE-2023-34319 / XSA-432. Fixes: ad7f402ae4 ("xen/netback: Ensure protocol headers don't fall in the non-linear area") Signed-off-by: Ross Lagerwall <ross.lagerwall@citrix.com> Reviewed-by: Paul Durrant <paul@xen.org> Reviewed-by: Wei Liu <wei.liu@kernel.org> Signed-off-by: Juergen Gross <jgross@suse.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>		2023-08-08 20:03:51 +02:00
..
common.h	xen/netback: don't do grant copy across page boundary	2023-04-06 12:10:52 +02:00
hash.c	treewide: Use fallthrough pseudo-keyword	2020-08-23 17:36:59 -05:00
interface.c	xen/netback: don't call kfree_skb() with interrupts disabled	2022-12-06 16:00:33 +01:00
Makefile	treewide: Add SPDX license identifier - Makefile/Kconfig	2019-05-21 10:50:46 +02:00
netback.c	xen/netback: Fix buffer overrun triggered by unusual packet	2023-08-08 20:03:51 +02:00
rx.c	xen/netback: don't call kfree_skb() with interrupts disabled	2022-12-06 16:00:33 +01:00
xenbus.c	xen-netback: use kstrdup instead of open-coding it	2022-09-23 12:03:35 +01:00