CVE-2025-40292

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> virtio-net: fix received length check in big packets<br /> <br /> Since commit 4959aebba8c0 ("virtio-net: use mtu size as buffer length<br /> for big packets"), when guest gso is off, the allocated size for big<br /> packets is not MAX_SKB_FRAGS * PAGE_SIZE anymore but depends on<br /> negotiated MTU. The number of allocated frags for big packets is stored<br /> in vi-&gt;big_packets_num_skbfrags.<br /> <br /> Because the host announced buffer length can be malicious (e.g. the host<br /> vhost_net driver&amp;#39;s get_rx_bufs is modified to announce incorrect<br /> length), we need a check in virtio_net receive path. Currently, the<br /> check is not adapted to the new change which can lead to NULL page<br /> pointer dereference in the below while loop when receiving length that<br /> is larger than the allocated one.<br /> <br /> This commit fixes the received length check corresponding to the new<br /> change.