Check that the rx packet length indicated by the header does not exceed
the iov length.
Fixes: b68396fad17f ("virtio/vsock: replace virtio_vsock_pkt with sk_buff")
Reported-by: syzbot+30b72abaa17c07fe39dd@xxxxxxxxxxxxxxxxxxxxxxxxx
Signed-off-by: Bobby Eshleman <bobby.eshleman@xxxxxxxxxxxxx>
---
drivers/vhost/vsock.c | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
diff --git a/drivers/vhost/vsock.c b/drivers/vhost/vsock.c
index 982ca479c659..84dec9ac62c1 100644
--- a/drivers/vhost/vsock.c
+++ b/drivers/vhost/vsock.c
@@ -365,8 +365,9 @@ vhost_vsock_alloc_skb(struct vhost_virtqueue *vq,
if (!payload_len)
return skb;
- /* The pkt is too big */
- if (payload_len > VIRTIO_VSOCK_MAX_PKT_BUF_SIZE) {
+ /* The pkt is too big or the length in the header is invalid */
+ if (payload_len > VIRTIO_VSOCK_MAX_PKT_BUF_SIZE ||
+ payload_len > len) {
kfree_skb(skb);
return NULL;
}
--
2.20.1
