From: Michael S. Tsirkin <mst@redhat.com>
Date: Thu, 27 Mar 2014 10:00:26 +0000 (+0200)
Subject: vhost: fix total length when packets are too short
X-Git-Tag: v3.14~8^2~11
X-Git-Url: http://git.openpandora.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=d8316f3991d207fe32881a9ac20241be8fa2bad0;p=pandora-kernel.git

vhost: fix total length when packets are too short

When mergeable buffers are disabled, and the
incoming packet is too large for the rx buffer,
get_rx_bufs returns success.

This was intentional in order for make recvmsg
truncate the packet and then handle_rx would
detect err != sock_len and drop it.

Unfortunately we pass the original sock_len to
recvmsg - which means we use parts of iov not fully
validated.

Fix this up by detecting this overrun and doing packet drop
immediately.

CVE-2014-0077

Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
---

Reading git-diff-tree failed