From: Stanislaw Gruszka <stf_xl@wp.pl>
To: Ivo van Doorn <IvDoorn@gmail.com>
Cc: Helmut Schaa <helmut.schaa@googlemail.com>,
linux-wireless@vger.kernel.org,
Gertjan van Wingerde <gwingerde@gmail.com>
Subject: [PATCH 1/2] rt2x00: fix possible memory corruption in case of invalid rxdesc.size
Date: Sun, 19 Jun 2011 19:46:02 +0200 [thread overview]
Message-ID: <20110619174602.GB19934@localhost.localdomain> (raw)
In-Reply-To: <20110604172940.GA10984@localhost.localdomain>
Sometimes rxdesc descriptor provided by hardware contains invalid
(random) data. For example rxdesc.size can be bigger than actual
size of the buffer. When this happen rt2x00crypto_rx_insert_iv()
corrupt memory doing memmove outside of buffer boundaries.
Signed-off-by: Stanislaw Gruszka <stf_xl@wp.pl>
---
drivers/net/wireless/rt2x00/rt2x00dev.c | 13 +++++++++++++
1 files changed, 13 insertions(+), 0 deletions(-)
diff --git a/drivers/net/wireless/rt2x00/rt2x00dev.c b/drivers/net/wireless/rt2x00/rt2x00dev.c
index 939821b..0955c94 100644
--- a/drivers/net/wireless/rt2x00/rt2x00dev.c
+++ b/drivers/net/wireless/rt2x00/rt2x00dev.c
@@ -583,6 +583,18 @@ void rt2x00lib_rxdone(struct queue_entry *entry)
rt2x00dev->ops->lib->fill_rxdone(entry, &rxdesc);
/*
+ * Check for valid size in case we get corrupted descriptor from
+ * hardware.
+ */
+ if (unlikely(rxdesc.size == 0 ||
+ rxdesc.size > entry->queue->data_size)) {
+ WARNING(rt2x00dev, "Wrong frame size %d max %d.\n",
+ rxdesc.size, entry->queue->data_size);
+ dev_kfree_skb(entry->skb);
+ goto renew_skb;
+ }
+
+ /*
* The data behind the ieee80211 header must be
* aligned on a 4 byte boundary.
*/
@@ -642,6 +654,7 @@ void rt2x00lib_rxdone(struct queue_entry *entry)
ieee80211_rx_ni(rt2x00dev->hw, entry->skb);
+renew_skb:
/*
* Replace the skb with the freshly allocated one.
*/
--
1.7.4
next prev parent reply other threads:[~2011-06-19 17:44 UTC|newest]
Thread overview: 9+ messages / expand[flat|nested] mbox.gz Atom feed top
2011-06-04 14:48 [PATCH wireless-2.6 v2] rt2x00: fix rmmod crash Stanislaw Gruszka
2011-06-04 17:29 ` Stanislaw Gruszka
2011-06-05 11:30 ` Stanislaw Gruszka
2011-06-19 17:44 ` Stanislaw Gruszka
2011-06-19 17:46 ` Stanislaw Gruszka [this message]
2011-06-19 17:47 ` [PATCH 2/2] rt2x00: reset usb devices at probe Stanislaw Gruszka
2011-06-20 18:13 ` Ivo Van Doorn
2011-06-20 18:12 ` [PATCH 1/2] rt2x00: fix possible memory corruption in case of invalid rxdesc.size Ivo Van Doorn
2011-06-04 18:56 ` [PATCH wireless-2.6 v2] rt2x00: fix rmmod crash Ivo Van Doorn
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20110619174602.GB19934@localhost.localdomain \
--to=stf_xl@wp.pl \
--cc=IvDoorn@gmail.com \
--cc=gwingerde@gmail.com \
--cc=helmut.schaa@googlemail.com \
--cc=linux-wireless@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.