mlx4_en: Fix read buffer overflow in mlx4_en_complete_rx_desc() If the length is less or equal to frag_prefix_size in the first iteration we write skb_frags_rx[-1] and read from priv->frag_info[-1] Signed-off-by: Roel Kluin <roel.kluin@gmail.com> Signed-off-by: David S. Miller <davem@davemloft.net>

commit: 973507cb8610d4c84f090d5f1f0ca54fa0559d27 [log] [tgz]
author: roel kluin <roel.kluin@gmail.com> Sat Aug 08 23:54:21 2009 +0000
committer: David S. Miller <davem@davemloft.net> Sun Aug 09 21:47:01 2009 -0700
tree: 5d372cd2c7263065ccf318cc62ff01ddda0d0226
parent: be12159b24c532b4b48bdec5a543336438faa132 [diff] [blame]
diff --git a/drivers/net/mlx4/en_rx.c b/drivers/net/mlx4/en_rx.c
index 91bdfdf..3ac0404 100644
--- a/drivers/net/mlx4/en_rx.c
+++ b/drivers/net/mlx4/en_rx.c

@@ -506,8 +506,9 @@
 				 PCI_DMA_FROMDEVICE);
 	}
 	/* Adjust size of last fragment to match actual length */
-	skb_frags_rx[nr - 1].size = length -
-		priv->frag_info[nr - 1].frag_prefix_size;
+	if (nr > 0)
+		skb_frags_rx[nr - 1].size = length -
+			priv->frag_info[nr - 1].frag_prefix_size;
 	return nr;
 
 fail:
commit	973507cb8610d4c84f090d5f1f0ca54fa0559d27	[log] [tgz]
author	roel kluin <roel.kluin@gmail.com>	Sat Aug 08 23:54:21 2009 +0000
committer	David S. Miller <davem@davemloft.net>	Sun Aug 09 21:47:01 2009 -0700
tree	5d372cd2c7263065ccf318cc62ff01ddda0d0226
parent	be12159b24c532b4b48bdec5a543336438faa132 [diff] [blame]