On Sun, Jun 19, 2011 at 7:46 PM, Stanislaw Gruszka <stf_xl@xxxxx> wrote: > Sometimes rxdesc descriptor provided by hardware contains invalid > (random) data. For example rxdesc.size can be bigger than actual > size of the buffer. When this happen rt2x00crypto_rx_insert_iv() > corrupt memory doing memmove outside of buffer boundaries. > > Signed-off-by: Stanislaw Gruszka <stf_xl@xxxxx> Acked-by: Ivo van Doorn <IvDoorn@xxxxxxxxx> > --- > drivers/net/wireless/rt2x00/rt2x00dev.c | 13 +++++++++++++ > 1 files changed, 13 insertions(+), 0 deletions(-) > > diff --git a/drivers/net/wireless/rt2x00/rt2x00dev.c b/drivers/net/wireless/rt2x00/rt2x00dev.c > index 939821b..0955c94 100644 > --- a/drivers/net/wireless/rt2x00/rt2x00dev.c > +++ b/drivers/net/wireless/rt2x00/rt2x00dev.c > @@ -583,6 +583,18 @@ void rt2x00lib_rxdone(struct queue_entry *entry) > rt2x00dev->ops->lib->fill_rxdone(entry, &rxdesc); > > /* > + * Check for valid size in case we get corrupted descriptor from > + * hardware. > + */ > + if (unlikely(rxdesc.size == 0 || > + rxdesc.size > entry->queue->data_size)) { > + WARNING(rt2x00dev, "Wrong frame size %d max %d.\n", > + rxdesc.size, entry->queue->data_size); > + dev_kfree_skb(entry->skb); > + goto renew_skb; > + } > + > + /* > * The data behind the ieee80211 header must be > * aligned on a 4 byte boundary. > */ > @@ -642,6 +654,7 @@ void rt2x00lib_rxdone(struct queue_entry *entry) > > ieee80211_rx_ni(rt2x00dev->hw, entry->skb); > > +renew_skb: > /* > * Replace the skb with the freshly allocated one. > */ > -- > 1.7.4 > > -- To unsubscribe from this list: send the line "unsubscribe linux-wireless" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html