Search Linux Wireless

[PATCH 06/24] rt2x00: Don't use unitialized rxdesc->size

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

From: Mattias Nissler <mattias.nissler@xxxxxx>

rxdesc->size is unitialized before the desriptor has been read.
Move the truncation of the sk buffer to the moment all variables
have been initialized.

Signed-off-by: Mattias Nissler <mattias.nissler@xxxxxx>
Signed-off-by: Ivo van Doorn <IvDoorn@xxxxxxxxx>
---
 drivers/net/wireless/rt2x00/rt2500usb.c |   11 +++++++----
 drivers/net/wireless/rt2x00/rt73usb.c   |   11 +++++++----
 2 files changed, 14 insertions(+), 8 deletions(-)

diff --git a/drivers/net/wireless/rt2x00/rt2500usb.c b/drivers/net/wireless/rt2x00/rt2500usb.c
index 86cd9a5..559131f 100644
--- a/drivers/net/wireless/rt2x00/rt2500usb.c
+++ b/drivers/net/wireless/rt2x00/rt2500usb.c
@@ -1123,13 +1123,10 @@ static void rt2500usb_fill_rxdone(struct queue_entry *entry,
 
 	/*
 	 * Copy descriptor to the available headroom inside the skbuffer.
-	 * Remove the original copy by trimming the skbuffer.
 	 */
 	skb_push(entry->skb, offset);
 	memcpy(entry->skb->data, rxd, entry->queue->desc_size);
 	rxd = (__le32 *)entry->skb->data;
-	skb_pull(entry->skb, offset);
-	skb_trim(entry->skb, rxdesc->size);
 
 	/*
 	 * The descriptor is now aligned to 4 bytes and thus it is
@@ -1155,11 +1152,17 @@ static void rt2500usb_fill_rxdone(struct queue_entry *entry,
 	rxdesc->my_bss = !!rt2x00_get_field32(word0, RXD_W0_MY_BSS);
 
 	/*
+	 * Adjust the skb memory window to the frame boundaries.
+	 */
+	skb_pull(entry->skb, offset);
+	skb_trim(entry->skb, rxdesc->size);
+
+	/*
 	 * Set descriptor and data pointer.
 	 */
 	skbdesc->data = entry->skb->data;
 	skbdesc->data_len = rxdesc->size;
-	skbdesc->desc = entry->skb->data - offset;
+	skbdesc->desc = rxd;
 	skbdesc->desc_len = entry->queue->desc_size;
 }
 
diff --git a/drivers/net/wireless/rt2x00/rt73usb.c b/drivers/net/wireless/rt2x00/rt73usb.c
index 77bdef8..9b4feb3 100644
--- a/drivers/net/wireless/rt2x00/rt73usb.c
+++ b/drivers/net/wireless/rt2x00/rt73usb.c
@@ -1376,13 +1376,10 @@ static void rt73usb_fill_rxdone(struct queue_entry *entry,
 
 	/*
 	 * Copy descriptor to the available headroom inside the skbuffer.
-	 * Remove the original copy by pulling the skbuffer.
 	 */
 	skb_push(entry->skb, offset);
 	memcpy(entry->skb->data, rxd, entry->queue->desc_size);
 	rxd = (__le32 *)entry->skb->data;
-	skb_pull(entry->skb, offset + entry->queue->desc_size);
-	skb_trim(entry->skb, rxdesc->size);
 
 	/*
 	 * The descriptor is now aligned to 4 bytes and thus it is
@@ -1405,11 +1402,17 @@ static void rt73usb_fill_rxdone(struct queue_entry *entry,
 	rxdesc->my_bss = !!rt2x00_get_field32(word0, RXD_W0_MY_BSS);
 
 	/*
+	 * Adjust the skb memory window to the frame boundaries.
+	 */
+	skb_pull(entry->skb, offset + entry->queue->desc_size);
+	skb_trim(entry->skb, rxdesc->size);
+
+	/*
 	 * Set descriptor and data pointer.
 	 */
 	skbdesc->data = entry->skb->data;
 	skbdesc->data_len = rxdesc->size;
-	skbdesc->desc = entry->skb->data - offset;
+	skbdesc->desc = rxd;
 	skbdesc->desc_len = entry->queue->desc_size;
 }
 
-- 
1.5.4.3

--
To unsubscribe from this list: send the line "unsubscribe linux-wireless" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html
[Index of Archives]     [Linux Host AP]     [ATH6KL]     [Linux Bluetooth]     [Linux Netdev]     [Kernel Newbies]     [Linux Kernel]     [IDE]     [Security]     [Git]     [Netfilter]     [Bugtraq]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Linux ATA RAID]     [Samba]     [Device Mapper]
  Powered by Linux