Skip to content

L
linux
Commit 7f503fc4 authored by Stanislaw Gruszka's avatar Stanislaw Gruszka Committed by John W. Linville
Browse files
Options

rt2x00: fix possible memory corruption in case of invalid rxdesc.size 

Sometimes rxdesc descriptor provided by hardware contains invalid
(random) data. For example rxdesc.size can be bigger than actual
size of the buffer. When this happen rt2x00crypto_rx_insert_iv()
corrupt memory doing memmove outside of buffer boundaries.
Signed-off-by: default avatarStanislaw Gruszka <stf_xl@wp.pl>
Acked-by: default avatarIvo van Doorn <IvDoorn@gmail.com>
Signed-off-by: default avatarJohn W. Linville <linville@tuxdriver.com>
parent 9c803a03
Hide whitespace changes
Inline Side-by-side
Showing with 13 additions and 0 deletions
drivers/net/wireless/rt2x00/rt2x00dev.c
View file @ 7f503fc4
......@@ -582,6 +582,18 @@ void rt2x00lib_rxdone(struct queue_entry *entry)
memset(&rxdesc, 0, sizeof(rxdesc));
rt2x00dev->ops->lib->fill_rxdone(entry, &rxdesc);
/*
* Check for valid size in case we get corrupted descriptor from
* hardware.
*/
if (unlikely(rxdesc.size == 0 ||
rxdesc.size > entry->queue->data_size)) {
WARNING(rt2x00dev, "Wrong frame size %d max %d.\n",
rxdesc.size, entry->queue->data_size);
dev_kfree_skb(entry->skb);
goto renew_skb;
}
/*
* The data behind the ieee80211 header must be
* aligned on a 4 byte boundary.
......@@ -642,6 +654,7 @@ void rt2x00lib_rxdone(struct queue_entry *entry)
ieee80211_rx_ni(rt2x00dev->hw, entry->skb);
renew_skb:
/*
* Replace the skb with the freshly allocated one.
*/
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment
GitLab Nexedi Edition | About GitLab | About Nexedi | 沪ICP备2021021310号-2 | 沪ICP备2021021310号-7