Chien Wong <m@xxxxxxxx> writes: > Currently, the length of USB messages sent from host to Wi-Fi dongle is > not checked. Without the check, we could crash the firmware. > > The length limits are determined by _HIFusb_get_max_msg_len_patch() > in the firmware code, located in k2_HIF_usb_patch.c and HIF_usb_patch.c > of the open-ath9k-htc-firmware project. The limits are 512 and 1600 > bytes for regout and Wi-Fi TX messages respectively. > I'm not sure if the firmware crash is due to buffer overflow if RXing > too long USB messages but the length limit is clear and verified. > Somebody knowing hardware internals could help. > > We should try our best not to crash the firmware. Note that setting the > MTU limit may not work: monitor interfaces will ignore the limit. > So we just drop too long messages and give warning on such events. Silently dropping packets seems like a bad idea. If needed, we can have a length check with a warning *in addition* to the MTU limit, but we should definitely disallow the MTU change first... -Toke
