Commit db5c97f0 authored by Li RongQing's avatar Li RongQing Committed by Daniel Borkmann

xsk: Fix out of boundary write in __xsk_rcv_memcpy

first_len is the remainder of the first page we're copying.
If this size is larger, then out of page boundary write will
otherwise happen.

Fixes: c05cd364 ("xsk: add support to allow unaligned chunk placement")
Signed-off-by: default avatarLi RongQing <lirongqing@baidu.com>
Signed-off-by: default avatarDaniel Borkmann <daniel@iogearbox.net>
Acked-by: default avatarJonathan Lemon <jonathan.lemon@gmail.com>
Acked-by: default avatarBjörn Töpel <bjorn.topel@intel.com>
Link: https://lore.kernel.org/bpf/1585813930-19712-1-git-send-email-lirongqing@baidu.com
parent 5222d696
...@@ -131,8 +131,9 @@ static void __xsk_rcv_memcpy(struct xdp_umem *umem, u64 addr, void *from_buf, ...@@ -131,8 +131,9 @@ static void __xsk_rcv_memcpy(struct xdp_umem *umem, u64 addr, void *from_buf,
u64 page_start = addr & ~(PAGE_SIZE - 1); u64 page_start = addr & ~(PAGE_SIZE - 1);
u64 first_len = PAGE_SIZE - (addr - page_start); u64 first_len = PAGE_SIZE - (addr - page_start);
memcpy(to_buf, from_buf, first_len + metalen); memcpy(to_buf, from_buf, first_len);
memcpy(next_pg_addr, from_buf + first_len, len - first_len); memcpy(next_pg_addr, from_buf + first_len,
len + metalen - first_len);
return; return;
} }
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment