hv_sock: Return -EIO for malformed/short packets (3d1f2072) · Commits · git / linux-net

net/vmw_vsock/hyperv_transport.c

+18 −9

Original line number	Diff line number	Diff line
		@@ -704,17 +704,26 @@ static s64 hvs_stream_has_data(struct vsock_sock *vsk)
		if (hvs->recv_desc) {
		/* Here hvs->recv_data_len is 0, so hvs->recv_desc must
		* be NULL unless it points to the 0-byte-payload FIN
		* packet: see hvs_update_recv_data().
		* packet or a malformed/short packet: see
		* hvs_update_recv_data().
		*
		* Here all the payload has been dequeued, but
		* hvs_channel_readable_payload() still returns 1,
		* because the VMBus ringbuffer's read_index is not
		* updated for the FIN packet: hvs_stream_dequeue() ->
		* hv_pkt_iter_next() updates the cached priv_read_index
		* but has no opportunity to update the read_index in
		* hv_pkt_iter_close() as hvs_stream_has_data() returns
		* 0 for the FIN packet, so it won't get dequeued.
		* If hvs->recv_desc points to the FIN packet, here all
		* the payload has been dequeued and the peer_shutdown
		* flag is set, but hvs_channel_readable_payload() still
		* returns 1, because the VMBus ringbuffer's read_index
		* is not updated for the FIN packet:
		* hvs_stream_dequeue() -> hv_pkt_iter_next() updates
		* the cached priv_read_index but has no opportunity to
		* update the read_index in hv_pkt_iter_close() as
		* hvs_stream_has_data() returns 0 for the FIN packet,
		* so it won't get dequeued.
		*
		* In case hvs->recv_desc points to a malformed/short
		* packet, return -EIO.
		*/
		if (!(vsk->peer_shutdown & SEND_SHUTDOWN))
		return -EIO;

		return 0;
		}