xsk: Fix out of boundary write in __xsk_rcv_memcpy

first_len is the remainder of the first page we're copying.
If this size is larger, then out of page boundary write will
otherwise happen.

Fixes: c05cd3645814 ("xsk: add support to allow unaligned chunk placement")
Signed-off-by: Li RongQing <lirongqing@baidu.com>
Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
Acked-by: Jonathan Lemon <jonathan.lemon@gmail.com>
Acked-by: Björn Töpel <bjorn.topel@intel.com>
Link: https://lore.kernel.org/bpf/1585813930-19712-1-git-send-email-lirongqing@baidu.com

diff --git a/net/xdp/xsk.c b/net/xdp/xsk.c
index 356f90e..c350108 100644 (file)
--- a/net/xdp/xsk.c
+++ b/net/xdp/xsk.c
@@ -131,8 +131,9 @@ static void __xsk_rcv_memcpy(struct xdp_umem *umem, u64 addr, void *from_buf,
                u64 page_start = addr & ~(PAGE_SIZE - 1);
                u64 first_len = PAGE_SIZE - (addr - page_start);
 
-               memcpy(to_buf, from_buf, first_len + metalen);
-               memcpy(next_pg_addr, from_buf + first_len, len - first_len);
+               memcpy(to_buf, from_buf, first_len);
+               memcpy(next_pg_addr, from_buf + first_len,
+                      len + metalen - first_len);
 
                return;
        }