From 973507cb8610d4c84f090d5f1f0ca54fa0559d27 Mon Sep 17 00:00:00 2001 From: roel kluin Date: Sat, 8 Aug 2009 23:54:21 +0000 Subject: mlx4_en: Fix read buffer overflow in mlx4_en_complete_rx_desc() If the length is less or equal to frag_prefix_size in the first iteration we write skb_frags_rx[-1] and read from priv->frag_info[-1] Signed-off-by: Roel Kluin Signed-off-by: David S. Miller --- drivers/net/mlx4/en_rx.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) (limited to 'drivers/net/mlx4') diff --git a/drivers/net/mlx4/en_rx.c b/drivers/net/mlx4/en_rx.c index 91bdfdfd431..3ac0404d0d1 100644 --- a/drivers/net/mlx4/en_rx.c +++ b/drivers/net/mlx4/en_rx.c @@ -506,8 +506,9 @@ static int mlx4_en_complete_rx_desc(struct mlx4_en_priv *priv, PCI_DMA_FROMDEVICE); } /* Adjust size of last fragment to match actual length */ - skb_frags_rx[nr - 1].size = length - - priv->frag_info[nr - 1].frag_prefix_size; + if (nr > 0) + skb_frags_rx[nr - 1].size = length - + priv->frag_info[nr - 1].frag_prefix_size; return nr; fail: -- cgit v1.2.3-18-g5258