e84ec1da1b
(cherry picked from commit 853ff4cc62
)
36 lines
1.1 KiB
Diff
36 lines
1.1 KiB
Diff
From f8bc4b3be49e47dcf005ce12ef25071fe16bd45b Mon Sep 17 00:00:00 2001
|
|
From: =?UTF-8?q?Marek=20Marczykowski-G=C3=B3recki?=
|
|
<marmarek@invisiblethingslab.com>
|
|
Date: Wed, 16 Dec 2015 05:22:24 +0100
|
|
Subject: [PATCH] xen-netfront: add range check for Tx response id
|
|
MIME-Version: 1.0
|
|
Content-Type: text/plain; charset=UTF-8
|
|
Content-Transfer-Encoding: 8bit
|
|
|
|
Tx response ID is fetched from shared page, so make sure it is sane
|
|
before using it as an array index.
|
|
|
|
This is part of XSA155.
|
|
|
|
CC: stable@vger.kernel.org
|
|
Signed-off-by: Marek Marczykowski-Górecki <marmarek@invisiblethingslab.com>
|
|
---
|
|
drivers/net/xen-netfront.c | 1 +
|
|
1 file changed, 1 insertion(+)
|
|
|
|
diff --git a/drivers/net/xen-netfront.c b/drivers/net/xen-netfront.c
|
|
index 026d39702217..4150128ab893 100644
|
|
--- a/drivers/net/xen-netfront.c
|
|
+++ b/drivers/net/xen-netfront.c
|
|
@@ -395,6 +395,7 @@ static void xennet_tx_buf_gc(struct netfront_queue *queue)
|
|
continue;
|
|
|
|
id = txrsp.id;
|
|
+ BUG_ON(id >= NET_TX_RING_SIZE);
|
|
skb = queue->tx_skbs[id].skb;
|
|
if (unlikely(gnttab_query_foreign_access(
|
|
queue->grant_tx_ref[id]) != 0)) {
|
|
--
|
|
2.17.1
|
|
|