Search Linux Wireless

Re: [rt2x00-users] [PATCH V2]: rt2800usb: Added rx packet length validity check

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On Sun, Sep 2, 2012 at 11:14 AM, Sergei Poselenov
<sposelenov@xxxxxxxxxxx> wrote:
> On our system (ARM Cortex-M3 SOC running linux-2.6.33)
> frequent crashes were observed in the rt2800usb module
> because of the invalid length of the received packet (3392,
> 46920...). This patch adds the sanity check on the packet
> legth. Also, changed WARNING to ERROR in rt2x00lib_rxdone()
> so that the bad packet condition would be noticed.
>
> The fix was tested on the latest compat-wireless-3.5.1-1-snpc.
>
> Cc: stable@xxxxxxxxxxxxxxx
> Signed-off-by: Sergei Poselenov <sposelenov@xxxxxxxxxxx>

Acked-by: Ivo van Doorn <IvDoorn@xxxxxxxxx>

> ---
>  drivers/net/wireless/rt2x00/rt2800usb.c |   10 +++++++++-
>  drivers/net/wireless/rt2x00/rt2x00dev.c |    2 +-
>  2 files changed, 10 insertions(+), 2 deletions(-)
>
> diff --git a/drivers/net/wireless/rt2x00/rt2800usb.c b/drivers/net/wireless/rt2x00/rt2800usb.c
> index f8085b2..48df102 100644
> --- a/drivers/net/wireless/rt2x00/rt2800usb.c
> +++ b/drivers/net/wireless/rt2x00/rt2800usb.c
> @@ -667,8 +667,16 @@ static void rt2800usb_fill_rxdone(struct queue_entry *entry,
>         skb_pull(entry->skb, RXINFO_DESC_SIZE);
>
>         /*
> -        * FIXME: we need to check for rx_pkt_len validity
> +        * Check for rx_pkt_len validity. Return if invalid, leaving
> +        * rxdesc->size zeroed out by the upper level.
>          */
> +       if (unlikely(rx_pkt_len == 0 ||
> +                       rx_pkt_len > entry->queue->data_size)) {
> +               ERROR(entry->queue->rt2x00dev,
> +                       "Bad frame size %d, forcing to 0\n", rx_pkt_len);
> +               return;
> +       }
> +
>         rxd = (__le32 *)(entry->skb->data + rx_pkt_len);
>
>         /*
> diff --git a/drivers/net/wireless/rt2x00/rt2x00dev.c b/drivers/net/wireless/rt2x00/rt2x00dev.c
> index a59048f..10cf672 100644
> --- a/drivers/net/wireless/rt2x00/rt2x00dev.c
> +++ b/drivers/net/wireless/rt2x00/rt2x00dev.c
> @@ -629,7 +629,7 @@ void rt2x00lib_rxdone(struct queue_entry *entry, gfp_t gfp)
>          */
>         if (unlikely(rxdesc.size == 0 ||
>                      rxdesc.size > entry->queue->data_size)) {
> -               WARNING(rt2x00dev, "Wrong frame size %d max %d.\n",
> +               ERROR(rt2x00dev, "Wrong frame size %d max %d.\n",
>                         rxdesc.size, entry->queue->data_size);
>                 dev_kfree_skb(entry->skb);
>                 goto renew_skb;
> --
> 1.7.4.4
>
>
>
--
To unsubscribe from this list: send the line "unsubscribe linux-wireless" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html
[Index of Archives]     [Linux Host AP]     [ATH6KL]     [Linux Wireless Personal Area Network]     [Linux Bluetooth]     [Linux Netdev]     [Kernel Newbies]     [Linux Kernel]     [IDE]     [Git]     [Netfilter]     [Bugtraq]     [Yosemite Hiking]     [MIPS Linux]     [ARM Linux]     [Linux RAID]

  Powered by Linux