From: Johannes Berg <johannes@sipsolutions.net>
To: John Linville <linville@tuxdriver.com>
Cc: linux-wireless@vger.kernel.org
Subject: [PATCH 6/8] mac80211: add skb length sanity checking
Date: Mon, 23 Mar 2009 17:28:40 +0100 [thread overview]
Message-ID: <20090323163053.073748867@sipsolutions.net> (raw)
In-Reply-To: 20090323162834.154525349@sipsolutions.net
We just found a bug in zd1211rw where it would reject
packets in the ->tx() method but leave them modified,
which would cause retransmit attempts with completely
bogus skbs, eventually leading to a panic due to not
having enough headroom in those.
This patch adds a sanity check to mac80211 to catch
such driver mistakes; in this case we warn and drop
the skb.
Signed-off-by: Johannes Berg <johannes@sipsolutions.net>
---
net/mac80211/tx.c | 7 ++++++-
1 file changed, 6 insertions(+), 1 deletion(-)
--- wireless-testing.orig/net/mac80211/tx.c 2009-03-23 14:03:46.000000000 +0100
+++ wireless-testing/net/mac80211/tx.c 2009-03-23 14:03:47.000000000 +0100
@@ -1089,7 +1089,7 @@ static int __ieee80211_tx(struct ieee802
{
struct sk_buff *skb = *skbp, *next;
struct ieee80211_tx_info *info;
- int ret;
+ int ret, len;
bool fragm = false;
local->mdev->trans_start = jiffies;
@@ -1125,7 +1125,12 @@ static int __ieee80211_tx(struct ieee802
}
next = skb->next;
+ len = skb->len;
ret = local->ops->tx(local_to_hw(local), skb);
+ if (WARN_ON(ret != NETDEV_TX_OK && skb->len != len)) {
+ dev_kfree_skb(skb);
+ ret = NETDEV_TX_OK;
+ }
if (ret != NETDEV_TX_OK)
return IEEE80211_TX_AGAIN;
*skbp = skb = next;
--
next prev parent reply other threads:[~2009-03-23 16:32 UTC|newest]
Thread overview: 38+ messages / expand[flat|nested] mbox.gz Atom feed top
2009-03-23 16:28 [PATCH 0/8] mac80211 aggregation improvements Johannes Berg
2009-03-23 16:28 ` [PATCH 1/8] mac80211: rewrite fragmentation Johannes Berg
2009-03-26 1:21 ` Luis R. Rodriguez
2009-03-26 1:26 ` Julian Calaby
2009-03-26 1:34 ` Luis R. Rodriguez
2009-03-26 1:34 ` Luis R. Rodriguez
2009-03-26 8:15 ` Johannes Berg
2009-03-23 16:28 ` [PATCH 2/8] mac80211: fix A-MPDU queue assignment Johannes Berg
2009-03-26 1:41 ` Luis R. Rodriguez
2009-03-23 16:28 ` [PATCH 3/8] mac80211: rework the pending packets code Johannes Berg
2009-03-27 22:22 ` Luis R. Rodriguez
2009-03-27 22:36 ` Johannes Berg
2009-03-23 16:28 ` [PATCH 4/8] mac80211: clean up __ieee80211_tx args Johannes Berg
2009-03-27 22:26 ` Luis R. Rodriguez
2009-03-23 16:28 ` [PATCH 5/8] mac80211: unify and fix TX aggregation start Johannes Berg
2009-03-28 2:27 ` Luis R. Rodriguez
2009-03-28 3:01 ` Luis R. Rodriguez
2009-03-28 17:28 ` Johannes Berg
2009-03-23 16:28 ` Johannes Berg [this message]
2009-03-28 2:40 ` [PATCH 6/8] mac80211: add skb length sanity checking Luis R. Rodriguez
2009-03-28 3:00 ` Luis R. Rodriguez
2009-03-28 17:29 ` Johannes Berg
2009-03-23 16:28 ` [PATCH 7/8] mac80211: fix aggregation to not require queue stop Johannes Berg
2009-03-28 4:55 ` Luis R. Rodriguez
2009-03-28 17:41 ` Johannes Berg
2009-03-28 19:18 ` Luis R. Rodriguez
2009-03-28 19:52 ` Johannes Berg
2009-03-28 20:26 ` Luis R. Rodriguez
2009-03-28 20:42 ` Johannes Berg
2009-03-28 21:06 ` Luis R. Rodriguez
2009-03-28 21:17 ` Johannes Berg
2009-03-28 21:40 ` Luis R. Rodriguez
2009-03-23 16:28 ` [PATCH 8/8] mac80211/iwlwifi: move virtual A-MDPU queue bookkeeping to iwlwifi Johannes Berg
2009-03-28 5:04 ` Luis R. Rodriguez
2009-03-24 8:28 ` [PATCH 0/8] mac80211 aggregation improvements Johannes Berg
2009-03-24 16:13 ` Luis R. Rodriguez
2009-03-24 19:48 ` John W. Linville
2009-03-24 20:24 ` Johannes Berg
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20090323163053.073748867@sipsolutions.net \
--to=johannes@sipsolutions.net \
--cc=linux-wireless@vger.kernel.org \
--cc=linville@tuxdriver.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.