534fc31d09
It is possible that a guest can send a packet that contains a head + 18
slots and yet has a len <= XEN_NETBACK_TX_COPY_LEN. This causes nr_slots
to underflow in xenvif_get_requests() which then causes the subsequent
loop's termination condition to be wrong, causing a buffer overrun of
queue->tx_map_ops.
Rework the code to account for the extra frag_overflow slots.
This is CVE-2023-34319 / XSA-432.
Fixes:
|
||
---|---|---|
.. | ||
Makefile | ||
common.h | ||
hash.c | ||
interface.c | ||
netback.c | ||
rx.c | ||
xenbus.c |