summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorroel kluin <roel.kluin@gmail.com>2009-08-08 23:54:21 +0000
committerDavid S. Miller <davem@davemloft.net>2009-08-09 21:47:01 -0700
commit973507cb8610d4c84f090d5f1f0ca54fa0559d27 (patch)
tree5d372cd2c7263065ccf318cc62ff01ddda0d0226
parentbe12159b24c532b4b48bdec5a543336438faa132 (diff)
mlx4_en: Fix read buffer overflow in mlx4_en_complete_rx_desc()
If the length is less or equal to frag_prefix_size in the first iteration we write skb_frags_rx[-1] and read from priv->frag_info[-1] Signed-off-by: Roel Kluin <roel.kluin@gmail.com> Signed-off-by: David S. Miller <davem@davemloft.net>
-rw-r--r--drivers/net/mlx4/en_rx.c5
1 files changed, 3 insertions, 2 deletions
diff --git a/drivers/net/mlx4/en_rx.c b/drivers/net/mlx4/en_rx.c
index 91bdfdfd431f..3ac0404d0d11 100644
--- a/drivers/net/mlx4/en_rx.c
+++ b/drivers/net/mlx4/en_rx.c
@@ -506,8 +506,9 @@ static int mlx4_en_complete_rx_desc(struct mlx4_en_priv *priv,
PCI_DMA_FROMDEVICE);
}
/* Adjust size of last fragment to match actual length */
- skb_frags_rx[nr - 1].size = length -
- priv->frag_info[nr - 1].frag_prefix_size;
+ if (nr > 0)
+ skb_frags_rx[nr - 1].size = length -
+ priv->frag_info[nr - 1].frag_prefix_size;
return nr;
fail: