diff options
| author | Íñigo Huguet <ihuguet@redhat.com> | 2021-05-11 09:19:27 +0200 |
|---|---|---|
| committer | Kalle Valo <kvalo@codeaurora.org> | 2021-06-19 12:06:09 +0300 |
| commit | adf6a0f8c0a656df3d29403f314bf3e0dbb2dd77 (patch) | |
| tree | 6227b31ef87c334be12ae84ed1100cf861d6e5fb | |
| parent | c240b044edefa3c3af4014a4030e017dd95b59a1 (diff) | |
| download | lwn-adf6a0f8c0a656df3d29403f314bf3e0dbb2dd77.tar.gz lwn-adf6a0f8c0a656df3d29403f314bf3e0dbb2dd77.zip | |
rtl8xxxu: avoid parsing short RX packet
One USB data buffer can contain multiple received network
packets. If that's the case, they're processed this way:
1. Original buffer is cloned
2. Original buffer is trimmed to contain only the first
network packet
3. This first network packet is passed to network stack
4. Cloned buffer is trimmed to eliminate the first network
packet
5. Repeat with the cloned buffer until there are no more
network packets inside
However, if the space remaining in original buffer after
the first network packet is not enough to contain at least
another network packet descriptor, it is not cloned.
The loop parsing this packets ended if remaining space == 0.
But if the remaining space was > 0 but < packet descriptor
size, another iteration of the loop was done, processing again
the previous packet because cloning didn't happen. Moreover,
the ownership of this packet had been passed to network
stack in the previous iteration.
This patch ensures that no extra iteration is done if the
remaining size is not enough for one packet, and also avoid
the first iteration for the same reason.
Probably this doesn't happen in practice, but can happen
theoretically.
Signed-off-by: Íñigo Huguet <ihuguet@redhat.com>
Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
Link: https://lore.kernel.org/r/20210511071926.8951-1-ihuguet@redhat.com
| -rw-r--r-- | drivers/net/wireless/realtek/rtl8xxxu/rtl8xxxu_core.c | 11 |
1 files changed, 9 insertions, 2 deletions
diff --git a/drivers/net/wireless/realtek/rtl8xxxu/rtl8xxxu_core.c b/drivers/net/wireless/realtek/rtl8xxxu/rtl8xxxu_core.c index 9ff09cf7eb62..ac1061caacd6 100644 --- a/drivers/net/wireless/realtek/rtl8xxxu/rtl8xxxu_core.c +++ b/drivers/net/wireless/realtek/rtl8xxxu/rtl8xxxu_core.c @@ -5554,6 +5554,11 @@ int rtl8xxxu_parse_rxdesc16(struct rtl8xxxu_priv *priv, struct sk_buff *skb) urb_len = skb->len; pkt_cnt = 0; + if (urb_len < sizeof(struct rtl8xxxu_rxdesc16)) { + kfree_skb(skb); + return RX_TYPE_ERROR; + } + do { rx_desc = (struct rtl8xxxu_rxdesc16 *)skb->data; _rx_desc_le = (__le32 *)skb->data; @@ -5581,7 +5586,7 @@ int rtl8xxxu_parse_rxdesc16(struct rtl8xxxu_priv *priv, struct sk_buff *skb) * at least cover the rx descriptor */ if (pkt_cnt > 1 && - urb_len > (pkt_offset + sizeof(struct rtl8xxxu_rxdesc16))) + urb_len >= (pkt_offset + sizeof(struct rtl8xxxu_rxdesc16))) next_skb = skb_clone(skb, GFP_ATOMIC); rx_status = IEEE80211_SKB_RXCB(skb); @@ -5627,7 +5632,9 @@ int rtl8xxxu_parse_rxdesc16(struct rtl8xxxu_priv *priv, struct sk_buff *skb) pkt_cnt--; urb_len -= pkt_offset; - } while (skb && urb_len > 0 && pkt_cnt > 0); + next_skb = NULL; + } while (skb && pkt_cnt > 0 && + urb_len >= sizeof(struct rtl8xxxu_rxdesc16)); return RX_TYPE_DATA_PKT; } |