summaryrefslogtreecommitdiff
path: root/drivers/net/wireless/rt2x00/rt2x00dev.c
diff options
context:
space:
mode:
authorStanislaw Gruszka <stf_xl@wp.pl>2011-06-19 19:46:02 +0200
committerJohn W. Linville <linville@tuxdriver.com>2011-06-22 16:09:44 -0400
commit7f503fc49f144bb509dbd33daf3426df3f176e6b (patch)
tree33c71c73da165d47b2d059311cce4a00dbf70bbb /drivers/net/wireless/rt2x00/rt2x00dev.c
parent9c803a03bc07553f8148d024c15c784b28c1d9ee (diff)
downloadlwn-7f503fc49f144bb509dbd33daf3426df3f176e6b.tar.gz
lwn-7f503fc49f144bb509dbd33daf3426df3f176e6b.zip
rt2x00: fix possible memory corruption in case of invalid rxdesc.size
Sometimes rxdesc descriptor provided by hardware contains invalid (random) data. For example rxdesc.size can be bigger than actual size of the buffer. When this happen rt2x00crypto_rx_insert_iv() corrupt memory doing memmove outside of buffer boundaries. Signed-off-by: Stanislaw Gruszka <stf_xl@wp.pl> Acked-by: Ivo van Doorn <IvDoorn@gmail.com> Signed-off-by: John W. Linville <linville@tuxdriver.com>
Diffstat (limited to 'drivers/net/wireless/rt2x00/rt2x00dev.c')
-rw-r--r--drivers/net/wireless/rt2x00/rt2x00dev.c13
1 files changed, 13 insertions, 0 deletions
diff --git a/drivers/net/wireless/rt2x00/rt2x00dev.c b/drivers/net/wireless/rt2x00/rt2x00dev.c
index 939821b4af2f..0955c941317f 100644
--- a/drivers/net/wireless/rt2x00/rt2x00dev.c
+++ b/drivers/net/wireless/rt2x00/rt2x00dev.c
@@ -583,6 +583,18 @@ void rt2x00lib_rxdone(struct queue_entry *entry)
rt2x00dev->ops->lib->fill_rxdone(entry, &rxdesc);
/*
+ * Check for valid size in case we get corrupted descriptor from
+ * hardware.
+ */
+ if (unlikely(rxdesc.size == 0 ||
+ rxdesc.size > entry->queue->data_size)) {
+ WARNING(rt2x00dev, "Wrong frame size %d max %d.\n",
+ rxdesc.size, entry->queue->data_size);
+ dev_kfree_skb(entry->skb);
+ goto renew_skb;
+ }
+
+ /*
* The data behind the ieee80211 header must be
* aligned on a 4 byte boundary.
*/
@@ -642,6 +654,7 @@ void rt2x00lib_rxdone(struct queue_entry *entry)
ieee80211_rx_ni(rt2x00dev->hw, entry->skb);
+renew_skb:
/*
* Replace the skb with the freshly allocated one.
*/