On Tue, May 11, 2010 at 11:51 PM, Gertjan van Wingerde
<gwingerde@xxxxxxxxx> wrote:
> The buffer address descriptor word is not part of the TXINFO structure
> needed for beacons. The current writing of that word for beacons is
> therefore an out-of-bounds write.
> Fix this by only writing the buffer address descriptor word for TX
> queues.
>
> Signed-off-by: Gertjan van Wingerde <gwingerde@xxxxxxxxx>
> ---
> drivers/net/wireless/rt2x00/rt61pci.c | 10 +++++-----
> 1 files changed, 5 insertions(+), 5 deletions(-)
>
> diff --git a/drivers/net/wireless/rt2x00/rt61pci.c b/drivers/net/wireless/rt2x00/rt61pci.c
> index 2436363..99c2981 100644
> --- a/drivers/net/wireless/rt2x00/rt61pci.c
> +++ b/drivers/net/wireless/rt2x00/rt61pci.c
> @@ -1801,12 +1801,12 @@ static void rt61pci_write_tx_desc(struct rt2x00_dev *rt2x00dev,
> rt2x00_set_field32(&word, TXD_W5_WAITING_DMA_DONE_INT, 1);
> rt2x00_desc_write(txd, 5, word);
>
> - rt2x00_desc_read(txd, 6, &word);
> - rt2x00_set_field32(&word, TXD_W6_BUFFER_PHYSICAL_ADDRESS,
> - skbdesc->skb_dma);
> - rt2x00_desc_write(txd, 6, word);
> + if (txdesc->queue != QID_BEACON) {
> + rt2x00_desc_read(txd, 6, &word);
> + rt2x00_set_field32(&word, TXD_W6_BUFFER_PHYSICAL_ADDRESS,
> + skbdesc->skb_dma);
> + rt2x00_desc_write(txd, 6, word);
>
> - if (skbdesc->desc_len > TXINFO_SIZE) {
> rt2x00_desc_read(txd, 11, &word);
> rt2x00_set_field32(&word, TXD_W11_BUFFER_LENGTH0,
> txdesc->length);
Shouldn't the check for TXINFO_SIZE be used rather than explicitly
checking for the QID?
Ivo
--
To unsubscribe from this list: send the line "unsubscribe linux-wireless" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
