On Sun, Jun 19, 2011 at 7:46 PM, Stanislaw Gruszka <stf_xl@xxxxx> wrote:
> Sometimes rxdesc descriptor provided by hardware contains invalid
> (random) data. For example rxdesc.size can be bigger than actual
> size of the buffer. When this happen rt2x00crypto_rx_insert_iv()
> corrupt memory doing memmove outside of buffer boundaries.
>
> Signed-off-by: Stanislaw Gruszka <stf_xl@xxxxx>
Acked-by: Ivo van Doorn <IvDoorn@xxxxxxxxx>
> ---
> drivers/net/wireless/rt2x00/rt2x00dev.c | 13 +++++++++++++
> 1 files changed, 13 insertions(+), 0 deletions(-)
>
> diff --git a/drivers/net/wireless/rt2x00/rt2x00dev.c b/drivers/net/wireless/rt2x00/rt2x00dev.c
> index 939821b..0955c94 100644
> --- a/drivers/net/wireless/rt2x00/rt2x00dev.c
> +++ b/drivers/net/wireless/rt2x00/rt2x00dev.c
> @@ -583,6 +583,18 @@ void rt2x00lib_rxdone(struct queue_entry *entry)
> rt2x00dev->ops->lib->fill_rxdone(entry, &rxdesc);
>
> /*
> + * Check for valid size in case we get corrupted descriptor from
> + * hardware.
> + */
> + if (unlikely(rxdesc.size == 0 ||
> + rxdesc.size > entry->queue->data_size)) {
> + WARNING(rt2x00dev, "Wrong frame size %d max %d.\n",
> + rxdesc.size, entry->queue->data_size);
> + dev_kfree_skb(entry->skb);
> + goto renew_skb;
> + }
> +
> + /*
> * The data behind the ieee80211 header must be
> * aligned on a 4 byte boundary.
> */
> @@ -642,6 +654,7 @@ void rt2x00lib_rxdone(struct queue_entry *entry)
>
> ieee80211_rx_ni(rt2x00dev->hw, entry->skb);
>
> +renew_skb:
> /*
> * Replace the skb with the freshly allocated one.
> */
> --
> 1.7.4
>
>
--
To unsubscribe from this list: send the line "unsubscribe linux-wireless" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
