Commit d114bfdc authored Apr 09, 2026 by Norbert Szetei Committed by Jakub Kicinski Apr 12, 2026

vsock: fix buffer size clamping order



In vsock_update_buffer_size(), the buffer size was being clamped to the
maximum first, and then to the minimum. If a user sets a minimum buffer
size larger than the maximum, the minimum check overrides the maximum
check, inverting the constraint.

This breaks the intended socket memory boundaries by allowing the
vsk->buffer_size to grow beyond the configured vsk->buffer_max_size.

Fix this by checking the minimum first, and then the maximum. This
ensures the buffer size never exceeds the buffer_max_size.

Fixes: b9f2b0ff ("vsock: handle buffer_size sockopts in the core")
Suggested-by: Stefano Garzarella <sgarzare@redhat.com>
Signed-off-by: Norbert Szetei <norbert@doyensec.com>
Reviewed-by: Stefano Garzarella <sgarzare@redhat.com>
Link: https://patch.msgid.link/180118C5-8BCF-4A63-A305-4EE53A34AB9C@doyensec.com


Signed-off-by: Jakub Kicinski <kuba@kernel.org>

parent 6f533abe

net/vmw_vsock/af_vsock.c

+3 −3

Original line number	Diff line number	Diff line
		@@ -1951,12 +1951,12 @@ static void vsock_update_buffer_size(struct vsock_sock *vsk,
		const struct vsock_transport *transport,
		u64 val)
		{
		if (val > vsk->buffer_max_size)
		val = vsk->buffer_max_size;

		if (val < vsk->buffer_min_size)
		val = vsk->buffer_min_size;

		if (val > vsk->buffer_max_size)
		val = vsk->buffer_max_size;

		if (val != vsk->buffer_size &&
		transport && transport->notify_buffer_size)
		transport->notify_buffer_size(vsk, &val);