diff options
author | Baruch Siach <baruch@tkos.co.il> | 2009-01-04 19:23:01 -0500 |
---|---|---|
committer | David S. Miller <davem@davemloft.net> | 2009-01-04 19:23:01 -0500 |
commit | 22692018b93f0782cda5a843cecfffda1854eb8d (patch) | |
tree | b75537b4c063a28226d1810d0209b30375613eec /drivers | |
parent | fecc7036e73a71231045e03ff524b5f8bd892a84 (diff) |
enc28j60: fix RX buffer overflow
The enc28j60 driver doesn't check whether the length of the packet as reported
by the hardware fits into the preallocated buffer. When stressed, the hardware
may report insanely large packets even tough the "Receive OK" bit is set. Fix
this.
Signed-off-by: Baruch Siach <baruch@tkos.co.il>
Signed-off-by: David S. Miller <davem@davemloft.net>
Diffstat (limited to 'drivers')
-rw-r--r-- | drivers/net/enc28j60.c | 4 |
1 files changed, 3 insertions, 1 deletions
diff --git a/drivers/net/enc28j60.c b/drivers/net/enc28j60.c index b0ef46c51a9d..cefe1d98f93e 100644 --- a/drivers/net/enc28j60.c +++ b/drivers/net/enc28j60.c | |||
@@ -944,7 +944,7 @@ static void enc28j60_hw_rx(struct net_device *ndev) | |||
944 | if (netif_msg_rx_status(priv)) | 944 | if (netif_msg_rx_status(priv)) |
945 | enc28j60_dump_rsv(priv, __func__, next_packet, len, rxstat); | 945 | enc28j60_dump_rsv(priv, __func__, next_packet, len, rxstat); |
946 | 946 | ||
947 | if (!RSV_GETBIT(rxstat, RSV_RXOK)) { | 947 | if (!RSV_GETBIT(rxstat, RSV_RXOK) || len > MAX_FRAMELEN) { |
948 | if (netif_msg_rx_err(priv)) | 948 | if (netif_msg_rx_err(priv)) |
949 | dev_err(&ndev->dev, "Rx Error (%04x)\n", rxstat); | 949 | dev_err(&ndev->dev, "Rx Error (%04x)\n", rxstat); |
950 | ndev->stats.rx_errors++; | 950 | ndev->stats.rx_errors++; |
@@ -952,6 +952,8 @@ static void enc28j60_hw_rx(struct net_device *ndev) | |||
952 | ndev->stats.rx_crc_errors++; | 952 | ndev->stats.rx_crc_errors++; |
953 | if (RSV_GETBIT(rxstat, RSV_LENCHECKERR)) | 953 | if (RSV_GETBIT(rxstat, RSV_LENCHECKERR)) |
954 | ndev->stats.rx_frame_errors++; | 954 | ndev->stats.rx_frame_errors++; |
955 | if (len > MAX_FRAMELEN) | ||
956 | ndev->stats.rx_over_errors++; | ||
955 | } else { | 957 | } else { |
956 | skb = dev_alloc_skb(len + NET_IP_ALIGN); | 958 | skb = dev_alloc_skb(len + NET_IP_ALIGN); |
957 | if (!skb) { | 959 | if (!skb) { |