From def7de4690ddb40f7c3b29e6ca81d30e9409fb5d Mon Sep 17 00:00:00 2001 From: Laurent Vivier Date: Tue, 11 Feb 2025 20:43:32 +0100 Subject: tcp_vu: Fix off-by one in header count array adjustment head_cnt represents the number of frames we're going to forward to the guest in tcp_vu_sock_recv(), each of which could require multiple buffers ("elements"). We initialise it with as many frames as we can find space for in vu buffers, and we then need to adjust it down to the number of frames we actually (partially) filled. We adjust it down based on number of individual buffers used by the data from recvmsg(). At this point 'i' is *one greater than* that number of buffers, so we need to discard all (unused) frames with a buffer index >= i, instead of > i. Reported-by: David Gibson [david: Contributed actual commit message] Reviewed-by: David Gibson Signed-off-by: Stefano Brivio --- tcp_vu.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tcp_vu.c b/tcp_vu.c index fad7065..0622f17 100644 --- a/tcp_vu.c +++ b/tcp_vu.c @@ -261,7 +261,7 @@ static ssize_t tcp_vu_sock_recv(const struct ctx *c, len -= iov->iov_len; } /* adjust head count */ - while (head_cnt > 0 && head[head_cnt - 1] > i) + while (head_cnt > 0 && head[head_cnt - 1] >= i) head_cnt--; /* mark end of array */ head[head_cnt] = i; -- cgit v1.2.3