mlx4_en: Fix read buffer overflow in mlx4_en_complete_rx_desc()
If the length is less or equal to frag_prefix_size in the first iteration we write skb_frags_rx[-1] and read from priv->frag_info[-1] Signed-off-by: Roel Kluin <roel.kluin@gmail.com> Signed-off-by: David S. Miller <davem@davemloft.net>
This commit is contained in:
parent
be12159b24
commit
973507cb86
|
@ -506,8 +506,9 @@ static int mlx4_en_complete_rx_desc(struct mlx4_en_priv *priv,
|
||||||
PCI_DMA_FROMDEVICE);
|
PCI_DMA_FROMDEVICE);
|
||||||
}
|
}
|
||||||
/* Adjust size of last fragment to match actual length */
|
/* Adjust size of last fragment to match actual length */
|
||||||
skb_frags_rx[nr - 1].size = length -
|
if (nr > 0)
|
||||||
priv->frag_info[nr - 1].frag_prefix_size;
|
skb_frags_rx[nr - 1].size = length -
|
||||||
|
priv->frag_info[nr - 1].frag_prefix_size;
|
||||||
return nr;
|
return nr;
|
||||||
|
|
||||||
fail:
|
fail:
|
||||||
|
|
Loading…
Reference in New Issue