Re: [rt2x00-users] [PATCH V2]: rt2800usb: Added rx packet length validity check

linux-wireless.vger.kernel.org archive mirror
 help / color / mirror / Atom feed

From: Sergei Poselenov <sposelenov@emcraft.com>
To: Gertjan van Wingerde <gwingerde@gmail.com>
Cc: Stanislaw Gruszka <sgruszka@redhat.com>,
	Ivo Van Doorn <ivdoorn@gmail.com>,
	"users@rt2x00.serialmonkey.com" <users@rt2x00.serialmonkey.com>,
	"linux-wireless@vger.kernel.org" <linux-wireless@vger.kernel.org>,
	"Luis R. Rodriguez" <mcgrof@do-not-panic.com>
Subject: Re: [rt2x00-users] [PATCH V2]: rt2800usb: Added rx packet length validity check
Date: Sun, 02 Sep 2012 13:14:32 +0400	[thread overview]
Message-ID: <1346577272.6409.5.camel@mehome> (raw)
In-Reply-To: <70A1AEFB-59F7-4947-B2A0-A89C29C3108B@gmail.com>

On our system (ARM Cortex-M3 SOC running linux-2.6.33)
frequent crashes were observed in the rt2800usb module
because of the invalid length of the received packet (3392,
46920...). This patch adds the sanity check on the packet
legth. Also, changed WARNING to ERROR in rt2x00lib_rxdone()
so that the bad packet condition would be noticed.

The fix was tested on the latest compat-wireless-3.5.1-1-snpc.

Cc: stable@vger.kernel.org
Signed-off-by: Sergei Poselenov <sposelenov@emcraft.com>
---
 drivers/net/wireless/rt2x00/rt2800usb.c |   10 +++++++++-
 drivers/net/wireless/rt2x00/rt2x00dev.c |    2 +-
 2 files changed, 10 insertions(+), 2 deletions(-)

diff --git a/drivers/net/wireless/rt2x00/rt2800usb.c b/drivers/net/wireless/rt2x00/rt2800usb.c
index f8085b2..48df102 100644
--- a/drivers/net/wireless/rt2x00/rt2800usb.c
+++ b/drivers/net/wireless/rt2x00/rt2800usb.c
@@ -667,8 +667,16 @@ static void rt2800usb_fill_rxdone(struct queue_entry *entry,
 	skb_pull(entry->skb, RXINFO_DESC_SIZE);
 
 	/*
-	 * FIXME: we need to check for rx_pkt_len validity
+	 * Check for rx_pkt_len validity. Return if invalid, leaving
+	 * rxdesc->size zeroed out by the upper level.
 	 */
+	if (unlikely(rx_pkt_len == 0 ||
+			rx_pkt_len > entry->queue->data_size)) {
+		ERROR(entry->queue->rt2x00dev,
+			"Bad frame size %d, forcing to 0\n", rx_pkt_len);
+		return;
+	}
+
 	rxd = (__le32 *)(entry->skb->data + rx_pkt_len);
 
 	/*
diff --git a/drivers/net/wireless/rt2x00/rt2x00dev.c b/drivers/net/wireless/rt2x00/rt2x00dev.c
index a59048f..10cf672 100644
--- a/drivers/net/wireless/rt2x00/rt2x00dev.c
+++ b/drivers/net/wireless/rt2x00/rt2x00dev.c
@@ -629,7 +629,7 @@ void rt2x00lib_rxdone(struct queue_entry *entry, gfp_t gfp)
 	 */
 	if (unlikely(rxdesc.size == 0 ||
 		     rxdesc.size > entry->queue->data_size)) {
-		WARNING(rt2x00dev, "Wrong frame size %d max %d.\n",
+		ERROR(rt2x00dev, "Wrong frame size %d max %d.\n",
 			rxdesc.size, entry->queue->data_size);
 		dev_kfree_skb(entry->skb);
 		goto renew_skb;
-- 
1.7.4.4

next prev parent reply	other threads:[~2012-09-02  9:14 UTC|newest]

Thread overview: 15+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2012-08-20 16:53 [PATCH] compat-wireless:rt2800usb: Added rx packet length validity check Sergei Poselenov
2012-08-21 11:43 ` [rt2x00-users] " Stanislaw Gruszka
2012-08-21 13:39   ` Ivo Van Doorn
2012-08-21 14:18     ` Stanislaw Gruszka
2012-08-21 20:07       ` Gertjan van Wingerde
2012-08-22  9:27         ` Stanislaw Gruszka
2012-08-22 20:41           ` Gertjan van Wingerde
2012-08-22 21:16             ` Stanislaw Gruszka
2012-08-23  5:46             ` Sergei Poselenov
2012-08-26 13:19             ` Sergei Poselenov
2012-09-02  9:14             ` Sergei Poselenov [this message]
2012-09-02 20:35               ` [rt2x00-users] [PATCH V2]: rt2800usb: " Ivo Van Doorn
2012-08-26 13:53   ` [rt2x00-users] [PATCH] compat-wireless:rt2800usb: " Sergei Poselenov
2012-08-26 13:56   ` [rt2x00-users] [PATCH] compat-wireless:rt2800usb: Fixed a typo Sergei Poselenov
2012-08-27  8:23     ` Ivo Van Doorn

find likely ancestor, descendant, or conflicting patches for this message:
( dfblob:f8085b2 dfblob:48df102 dfblob:a59048f dfblob:10cf672 )
 OR (
bs:"Re: [rt2x00-users] [PATCH V2]: rt2800usb: Added rx packet length validity check" )
	(help)

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=1346577272.6409.5.camel@mehome \
    --to=sposelenov@emcraft.com \
    --cc=gwingerde@gmail.com \
    --cc=ivdoorn@gmail.com \
    --cc=linux-wireless@vger.kernel.org \
    --cc=mcgrof@do-not-panic.com \
    --cc=sgruszka@redhat.com \
    --cc=users@rt2x00.serialmonkey.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).