aboutsummaryrefslogtreecommitdiffstats
path: root/drivers
diff options
context:
space:
mode:
authorBaruch Siach <baruch@tkos.co.il>2009-01-04 19:23:01 -0500
committerDavid S. Miller <davem@davemloft.net>2009-01-04 19:23:01 -0500
commit22692018b93f0782cda5a843cecfffda1854eb8d (patch)
treeb75537b4c063a28226d1810d0209b30375613eec /drivers
parentfecc7036e73a71231045e03ff524b5f8bd892a84 (diff)
enc28j60: fix RX buffer overflow
The enc28j60 driver doesn't check whether the length of the packet as reported by the hardware fits into the preallocated buffer. When stressed, the hardware may report insanely large packets even tough the "Receive OK" bit is set. Fix this. Signed-off-by: Baruch Siach <baruch@tkos.co.il> Signed-off-by: David S. Miller <davem@davemloft.net>
Diffstat (limited to 'drivers')
-rw-r--r--drivers/net/enc28j60.c4
1 files changed, 3 insertions, 1 deletions
diff --git a/drivers/net/enc28j60.c b/drivers/net/enc28j60.c
index b0ef46c51a9d..cefe1d98f93e 100644
--- a/drivers/net/enc28j60.c
+++ b/drivers/net/enc28j60.c
@@ -944,7 +944,7 @@ static void enc28j60_hw_rx(struct net_device *ndev)
944 if (netif_msg_rx_status(priv)) 944 if (netif_msg_rx_status(priv))
945 enc28j60_dump_rsv(priv, __func__, next_packet, len, rxstat); 945 enc28j60_dump_rsv(priv, __func__, next_packet, len, rxstat);
946 946
947 if (!RSV_GETBIT(rxstat, RSV_RXOK)) { 947 if (!RSV_GETBIT(rxstat, RSV_RXOK) || len > MAX_FRAMELEN) {
948 if (netif_msg_rx_err(priv)) 948 if (netif_msg_rx_err(priv))
949 dev_err(&ndev->dev, "Rx Error (%04x)\n", rxstat); 949 dev_err(&ndev->dev, "Rx Error (%04x)\n", rxstat);
950 ndev->stats.rx_errors++; 950 ndev->stats.rx_errors++;
@@ -952,6 +952,8 @@ static void enc28j60_hw_rx(struct net_device *ndev)
952 ndev->stats.rx_crc_errors++; 952 ndev->stats.rx_crc_errors++;
953 if (RSV_GETBIT(rxstat, RSV_LENCHECKERR)) 953 if (RSV_GETBIT(rxstat, RSV_LENCHECKERR))
954 ndev->stats.rx_frame_errors++; 954 ndev->stats.rx_frame_errors++;
955 if (len > MAX_FRAMELEN)
956 ndev->stats.rx_over_errors++;
955 } else { 957 } else {
956 skb = dev_alloc_skb(len + NET_IP_ALIGN); 958 skb = dev_alloc_skb(len + NET_IP_ALIGN);
957 if (!skb) { 959 if (!skb) {