rt2x00: fix possible memory corruption in case of invalid rxdesc.size

Sometimes rxdesc descriptor provided by hardware contains invalid (random) data. For example rxdesc.size can be bigger than actual size of the buffer. When this happen rt2x00crypto_rx_insert_iv() corrupt memory doing memmove outside of buffer boundaries. Signed-off-by: Stanislaw Gruszka <stf_xl@wp.pl> Acked-by: Ivo van Doorn <IvDoorn@gmail.com> Signed-off-by: John W. Linville <linville@tuxdriver.com>
author: Stanislaw Gruszka <stf_xl@wp.pl> 2011-06-19 13:46:02 -0400
committer: John W. Linville <linville@tuxdriver.com> 2011-06-22 16:09:44 -0400
commit: 7f503fc49f144bb509dbd33daf3426df3f176e6b (patch)
tree: 33c71c73da165d47b2d059311cce4a00dbf70bbb /drivers/net
parent: 9c803a03bc07553f8148d024c15c784b28c1d9ee (diff)
1 files changed, 13 insertions, 0 deletions
diff --git a/drivers/net/wireless/rt2x00/rt2x00dev.c b/drivers/net/wireless/rt2x00/rt2x00dev.c
index 939821b4af2f..0955c941317f 100644
--- a/drivers/net/wireless/rt2x00/rt2x00dev.c
+++ b/drivers/net/wireless/rt2x00/rt2x00dev.c
@@ -583,6 +583,18 @@ void rt2x00lib_rxdone(struct queue_entry *entry)
        rt2x00dev->ops->lib->fill_rxdone(entry, &rxdesc);
        /*
+         * Check for valid size in case we get corrupted descriptor from
+         * hardware.
+         */
+        if (unlikely(rxdesc.size == 0 ||
+                     rxdesc.size > entry->queue->data_size)) {
+                WARNING(rt2x00dev, "Wrong frame size %d max %d.\n",
+                        rxdesc.size, entry->queue->data_size);
+                dev_kfree_skb(entry->skb);
+                goto renew_skb;
+        }
+        /*
         * The data behind the ieee80211 header must be
         * aligned on a 4 byte boundary.
         */
@@ -642,6 +654,7 @@ void rt2x00lib_rxdone(struct queue_entry *entry)
        ieee80211_rx_ni(rt2x00dev->hw, entry->skb);
+renew_skb:
        /*
         * Replace the skb with the freshly allocated one.
         */
author	Stanislaw Gruszka <stf_xl@wp.pl>	2011-06-19 13:46:02 -0400
committer	John W. Linville <linville@tuxdriver.com>	2011-06-22 16:09:44 -0400
commit	7f503fc49f144bb509dbd33daf3426df3f176e6b (patch)
tree	33c71c73da165d47b2d059311cce4a00dbf70bbb /drivers/net
parent	9c803a03bc07553f8148d024c15c784b28c1d9ee (diff)

diff --git a/drivers/net/wireless/rt2x00/rt2x00dev.c b/drivers/net/wireless/rt2x00/rt2x00dev.c index 939821b4af2f..0955c941317f 100644 --- a/drivers/net/wireless/rt2x00/rt2x00dev.c +++ b/drivers/net/wireless/rt2x00/rt2x00dev.c
@@ -583,6 +583,18 @@ void rt2x00lib_rxdone(struct queue_entry *entry)
583	rt2x00dev->ops->lib->fill_rxdone(entry, &rxdesc);	583	rt2x00dev->ops->lib->fill_rxdone(entry, &rxdesc);
584		584
585	/*	585	/*
		586	* Check for valid size in case we get corrupted descriptor from
		587	* hardware.
		588	*/
		589	if (unlikely(rxdesc.size == 0 \|\|
		590	rxdesc.size > entry->queue->data_size)) {
		591	WARNING(rt2x00dev, "Wrong frame size %d max %d.\n",
		592	rxdesc.size, entry->queue->data_size);
		593	dev_kfree_skb(entry->skb);
		594	goto renew_skb;
		595	}
		596
		597	/*
586	* The data behind the ieee80211 header must be	598	* The data behind the ieee80211 header must be
587	* aligned on a 4 byte boundary.	599	* aligned on a 4 byte boundary.
588	*/	600	*/
@@ -642,6 +654,7 @@ void rt2x00lib_rxdone(struct queue_entry *entry)
642		654
643	ieee80211_rx_ni(rt2x00dev->hw, entry->skb);	655	ieee80211_rx_ni(rt2x00dev->hw, entry->skb);
644		656
		657	renew_skb:
645	/*	658	/*
646	* Replace the skb with the freshly allocated one.	659	* Replace the skb with the freshly allocated one.
647	*/	660	*/