mlx4_en: Fix read buffer overflow in mlx4_en_complete_rx_desc()

If the length is less or equal to frag_prefix_size in the first iteration we write skb_frags_rx[-1] and read from priv->frag_info[-1] Signed-off-by: Roel Kluin <roel.kluin@gmail.com> Signed-off-by: David S. Miller <davem@davemloft.net>

mlx4_en: Fix read buffer overflow in mlx4_en_complete_rx_desc()
If the length is less or equal to frag_prefix_size in the first iteration we write skb_frags_rx[-1] and read from priv->frag_info[-1] Signed-off-by: Roel Kluin <roel.kluin@gmail.com> Signed-off-by: David S. Miller <davem@davemloft.net>
973507cb · roel kluin · David S. Miller · be12159b · 973507cb
Commit 973507cb authored Aug 08, 2009 by roel kluin Committed by David S. Miller Aug 09, 2009
Hide whitespace changes
Inline Side-by-side

Showing with 3 additions and 2 deletions

drivers/net/mlx4/en_rx.c drivers/net/mlx4/en_rx.c +3 -2

No files found.
--- a/drivers/net/mlx4/en_rx.c
+++ b/drivers/net/mlx4/en_rx.c
@@ -506,8 +506,9 @@ static int mlx4_en_complete_rx_desc(struct mlx4_en_priv *priv,
 				 PCI_DMA_FROMDEVICE);
 	}
 	/* Adjust size of last fragment to match actual length */
-	skb_frags_rx[nr - 1].size = length -
-		priv->frag_info[nr - 1].frag_prefix_size;
+	if (nr > 0)
+		skb_frags_rx[nr - 1].size = length -
+			priv->frag_info[nr - 1].frag_prefix_size;
 	return nr;

 fail: