mlx4_en: Fix read buffer overflow in mlx4_en_complete_rx_desc()
authorroel kluin <roel.kluin@gmail.com>
Sat, 8 Aug 2009 23:54:21 +0000 (23:54 +0000)
committerDavid S. Miller <davem@davemloft.net>
Mon, 10 Aug 2009 04:47:01 +0000 (21:47 -0700)
If the length is less or equal to frag_prefix_size in the first iteration
we write skb_frags_rx[-1] and read from priv->frag_info[-1]

Signed-off-by: Roel Kluin <roel.kluin@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
drivers/net/mlx4/en_rx.c

index 91bdfdfd431f214665e3b66c6c9028de3f64ff04..3ac0404d0d11e6391531385e7a79bd4662a4602a 100644 (file)
@@ -506,8 +506,9 @@ static int mlx4_en_complete_rx_desc(struct mlx4_en_priv *priv,
                                 PCI_DMA_FROMDEVICE);
        }
        /* Adjust size of last fragment to match actual length */
-       skb_frags_rx[nr - 1].size = length -
-               priv->frag_info[nr - 1].frag_prefix_size;
+       if (nr > 0)
+               skb_frags_rx[nr - 1].size = length -
+                       priv->frag_info[nr - 1].frag_prefix_size;
        return nr;
 
 fail: