diff options
| author | Sergei Poselenov <sposelenov@emcraft.com> | 2012-09-02 05:14:32 -0400 |
|---|---|---|
| committer | John W. Linville <linville@tuxdriver.com> | 2012-09-05 14:53:36 -0400 |
| commit | efd5d6b03bd9c9e0df646c56fb5f4f3e25e5c1ac (patch) | |
| tree | acb7e549799ecf6f41aa1971cca044e5e06ce4db /drivers/net/wireless/rt2x00 | |
| parent | a396e10019eaf3809b0219c966865aaafec12630 (diff) | |
rt2800usb: Added rx packet length validity check
On our system (ARM Cortex-M3 SOC running linux-2.6.33)
frequent crashes were observed in the rt2800usb module
because of the invalid length of the received packet (3392,
46920...). This patch adds the sanity check on the packet
legth. Also, changed WARNING to ERROR in rt2x00lib_rxdone()
so that the bad packet condition would be noticed.
The fix was tested on the latest compat-wireless-3.5.1-1-snpc.
Cc: stable@vger.kernel.org
Signed-off-by: Sergei Poselenov <sposelenov@emcraft.com>
Acked-by: Ivo van Doorn <IvDoorn@gmail.com>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
Diffstat (limited to 'drivers/net/wireless/rt2x00')
| -rw-r--r-- | drivers/net/wireless/rt2x00/rt2800usb.c | 10 | ||||
| -rw-r--r-- | drivers/net/wireless/rt2x00/rt2x00dev.c | 2 |
2 files changed, 10 insertions, 2 deletions
diff --git a/drivers/net/wireless/rt2x00/rt2800usb.c b/drivers/net/wireless/rt2x00/rt2800usb.c index 52a32b5baea..6b4226b7161 100644 --- a/drivers/net/wireless/rt2x00/rt2800usb.c +++ b/drivers/net/wireless/rt2x00/rt2800usb.c | |||
| @@ -667,8 +667,16 @@ static void rt2800usb_fill_rxdone(struct queue_entry *entry, | |||
| 667 | skb_pull(entry->skb, RXINFO_DESC_SIZE); | 667 | skb_pull(entry->skb, RXINFO_DESC_SIZE); |
| 668 | 668 | ||
| 669 | /* | 669 | /* |
| 670 | * FIXME: we need to check for rx_pkt_len validity | 670 | * Check for rx_pkt_len validity. Return if invalid, leaving |
| 671 | * rxdesc->size zeroed out by the upper level. | ||
| 671 | */ | 672 | */ |
| 673 | if (unlikely(rx_pkt_len == 0 || | ||
| 674 | rx_pkt_len > entry->queue->data_size)) { | ||
| 675 | ERROR(entry->queue->rt2x00dev, | ||
| 676 | "Bad frame size %d, forcing to 0\n", rx_pkt_len); | ||
| 677 | return; | ||
| 678 | } | ||
| 679 | |||
| 672 | rxd = (__le32 *)(entry->skb->data + rx_pkt_len); | 680 | rxd = (__le32 *)(entry->skb->data + rx_pkt_len); |
| 673 | 681 | ||
| 674 | /* | 682 | /* |
diff --git a/drivers/net/wireless/rt2x00/rt2x00dev.c b/drivers/net/wireless/rt2x00/rt2x00dev.c index a6b88bd4a1a..3f07e36f462 100644 --- a/drivers/net/wireless/rt2x00/rt2x00dev.c +++ b/drivers/net/wireless/rt2x00/rt2x00dev.c | |||
| @@ -629,7 +629,7 @@ void rt2x00lib_rxdone(struct queue_entry *entry, gfp_t gfp) | |||
| 629 | */ | 629 | */ |
| 630 | if (unlikely(rxdesc.size == 0 || | 630 | if (unlikely(rxdesc.size == 0 || |
| 631 | rxdesc.size > entry->queue->data_size)) { | 631 | rxdesc.size > entry->queue->data_size)) { |
| 632 | WARNING(rt2x00dev, "Wrong frame size %d max %d.\n", | 632 | ERROR(rt2x00dev, "Wrong frame size %d max %d.\n", |
| 633 | rxdesc.size, entry->queue->data_size); | 633 | rxdesc.size, entry->queue->data_size); |
| 634 | dev_kfree_skb(entry->skb); | 634 | dev_kfree_skb(entry->skb); |
| 635 | goto renew_skb; | 635 | goto renew_skb; |