net/hyperv: Fix data corruption in rndis_filter_receive()

Limiting the memcpy to be the sizeof(struct rndis_message) can truncate the message if there are Per-Packet-Info or Out-of-Band data. In my earlier patch (commit 45326342), the unnecessary kmap_atomic and kunmap_atomic surrounding this memcpy have been removed because the memory in the receive buffer is always mapped. This memcpy is not necessary either. To fix the bug, I removed the memcpy. Signed-off-by: Haiyang Zhang <haiyangz@microsoft.com> Reviewed-by: K. Y. Srinivasan <kys@microsoft.com> Signed-off-by: David S. Miller <davem@davemloft.net>
author: Haiyang Zhang <haiyangz@microsoft.com> 2012-03-12 06:20:49 -0400
committer: David S. Miller <davem@davemloft.net> 2012-03-12 20:06:48 -0400
commit: ef31bef6216db76950c38f1993b45953402f4c63 (patch)
tree: 044be8b3a0a0f4cd365dbf107576a176bdeb0e0b /drivers/net/hyperv
parent: afd465030acb4098abcb6b965a5aebc7ea2209e0 (diff)
1 files changed, 9 insertions, 24 deletions
diff --git a/drivers/net/hyperv/rndis_filter.c b/drivers/net/hyperv/rndis_filter.c
index 136efd84373f..0c3d7d9f51d3 100644
--- a/drivers/net/hyperv/rndis_filter.c
+++ b/drivers/net/hyperv/rndis_filter.c
@@ -352,8 +352,7 @@ int rndis_filter_receive(struct hv_device *dev,
 {
        struct netvsc_device *net_dev = hv_get_drvdata(dev);
        struct rndis_device *rndis_dev;
-        struct rndis_message rndis_msg;
+        struct rndis_message *rndis_msg;
-        struct rndis_message *rndis_hdr;
        struct net_device *ndev;
        if (!net_dev)
@@ -375,46 +374,32 @@ int rndis_filter_receive(struct hv_device *dev,
                return -ENODEV;
        }
-        rndis_hdr = pkt->data;
+        rndis_msg = pkt->data;
-        /* Make sure we got a valid rndis message */
-        if ((rndis_hdr->ndis_msg_type != REMOTE_NDIS_PACKET_MSG) &&
-            (rndis_hdr->msg_len > sizeof(struct rndis_message))) {
-                netdev_err(ndev, "incoming rndis message buffer overflow "
-                           "detected (got %u, max %zu)..marking it an error!\n",
-                           rndis_hdr->msg_len,
-                           sizeof(struct rndis_message));
-        }
-        memcpy(&rndis_msg, rndis_hdr,
+        dump_rndis_message(dev, rndis_msg);
-                (rndis_hdr->msg_len > sizeof(struct rndis_message)) ?
-                        sizeof(struct rndis_message) :
-                        rndis_hdr->msg_len);
-        dump_rndis_message(dev, &rndis_msg);
+        switch (rndis_msg->ndis_msg_type) {
-        switch (rndis_msg.ndis_msg_type) {
        case REMOTE_NDIS_PACKET_MSG:
                /* data msg */
-                rndis_filter_receive_data(rndis_dev, &rndis_msg, pkt);
+                rndis_filter_receive_data(rndis_dev, rndis_msg, pkt);
                break;
        case REMOTE_NDIS_INITIALIZE_CMPLT:
        case REMOTE_NDIS_QUERY_CMPLT:
        case REMOTE_NDIS_SET_CMPLT:
                /* completion msgs */
-                rndis_filter_receive_response(rndis_dev, &rndis_msg);
+                rndis_filter_receive_response(rndis_dev, rndis_msg);
                break;
        case REMOTE_NDIS_INDICATE_STATUS_MSG:
                /* notification msgs */
-                rndis_filter_receive_indicate_status(rndis_dev, &rndis_msg);
+                rndis_filter_receive_indicate_status(rndis_dev, rndis_msg);
                break;
        default:
                netdev_err(ndev,
                        "unhandled rndis message (type %u len %u)\n",
-                           rndis_msg.ndis_msg_type,
+                           rndis_msg->ndis_msg_type,
-                           rndis_msg.msg_len);
+                           rndis_msg->msg_len);
                break;
        }
author	Haiyang Zhang <haiyangz@microsoft.com>	2012-03-12 06:20:49 -0400
committer	David S. Miller <davem@davemloft.net>	2012-03-12 20:06:48 -0400
commit	ef31bef6216db76950c38f1993b45953402f4c63 (patch)
tree	044be8b3a0a0f4cd365dbf107576a176bdeb0e0b /drivers/net/hyperv
parent	afd465030acb4098abcb6b965a5aebc7ea2209e0 (diff)