From: Johannes Berg <johannes@sipsolutions.net>
To: John Linville <linville@tuxdriver.com>
Cc: linux-wireless@vger.kernel.org
Subject: [PATCH 6/8] mac80211: add skb length sanity checking
Date: Mon, 23 Mar 2009 17:28:40 +0100 [thread overview]
Message-ID: <20090323163053.073748867@sipsolutions.net> (raw)
In-Reply-To: 20090323162834.154525349@sipsolutions.net
We just found a bug in zd1211rw where it would reject
packets in the ->tx() method but leave them modified,
which would cause retransmit attempts with completely
bogus skbs, eventually leading to a panic due to not
having enough headroom in those.
This patch adds a sanity check to mac80211 to catch
such driver mistakes; in this case we warn and drop
the skb.
Signed-off-by: Johannes Berg <johannes@sipsolutions.net>
---
net/mac80211/tx.c | 7 ++++++-
1 file changed, 6 insertions(+), 1 deletion(-)
--- wireless-testing.orig/net/mac80211/tx.c 2009-03-23 14:03:46.000000000 +0100
+++ wireless-testing/net/mac80211/tx.c 2009-03-23 14:03:47.000000000 +0100
@@ -1089,7 +1089,7 @@ static int __ieee80211_tx(struct ieee802
{
struct sk_buff *skb = *skbp, *next;
struct ieee80211_tx_info *info;
- int ret;
+ int ret, len;
bool fragm = false;
local->mdev->trans_start = jiffies;
@@ -1125,7 +1125,12 @@ static int __ieee80211_tx(struct ieee802
}
next = skb->next;
+ len = skb->len;
ret = local->ops->tx(local_to_hw(local), skb);
+ if (WARN_ON(ret != NETDEV_TX_OK && skb->len != len)) {
+ dev_kfree_skb(skb);
+ ret = NETDEV_TX_OK;
+ }
if (ret != NETDEV_TX_OK)
return IEEE80211_TX_AGAIN;
*skbp = skb = next;
--
next prev parent reply other threads:[~2009-03-23 16:32 UTC|newest]
Thread overview: 38+ messages / expand[flat|nested] mbox.gz Atom feed top
2009-03-23 16:28 [PATCH 0/8] mac80211 aggregation improvements Johannes Berg
2009-03-23 16:28 ` [PATCH 1/8] mac80211: rewrite fragmentation Johannes Berg
2009-03-26 1:21 ` Luis R. Rodriguez
2009-03-26 1:26 ` Julian Calaby
2009-03-26 1:34 ` Luis R. Rodriguez
2009-03-26 1:34 ` Luis R. Rodriguez
2009-03-26 8:15 ` Johannes Berg
2009-03-23 16:28 ` [PATCH 2/8] mac80211: fix A-MPDU queue assignment Johannes Berg
2009-03-26 1:41 ` Luis R. Rodriguez
2009-03-23 16:28 ` [PATCH 3/8] mac80211: rework the pending packets code Johannes Berg
2009-03-27 22:22 ` Luis R. Rodriguez
2009-03-27 22:36 ` Johannes Berg
2009-03-23 16:28 ` [PATCH 4/8] mac80211: clean up __ieee80211_tx args Johannes Berg
2009-03-27 22:26 ` Luis R. Rodriguez
2009-03-23 16:28 ` [PATCH 5/8] mac80211: unify and fix TX aggregation start Johannes Berg
2009-03-28 2:27 ` Luis R. Rodriguez
2009-03-28 3:01 ` Luis R. Rodriguez
2009-03-28 17:28 ` Johannes Berg
2009-03-23 16:28 ` Johannes Berg [this message]
2009-03-28 2:40 ` [PATCH 6/8] mac80211: add skb length sanity checking Luis R. Rodriguez
2009-03-28 3:00 ` Luis R. Rodriguez
2009-03-28 17:29 ` Johannes Berg
2009-03-23 16:28 ` [PATCH 7/8] mac80211: fix aggregation to not require queue stop Johannes Berg
2009-03-28 4:55 ` Luis R. Rodriguez
2009-03-28 17:41 ` Johannes Berg
2009-03-28 19:18 ` Luis R. Rodriguez
2009-03-28 19:52 ` Johannes Berg
2009-03-28 20:26 ` Luis R. Rodriguez
2009-03-28 20:42 ` Johannes Berg
2009-03-28 21:06 ` Luis R. Rodriguez
2009-03-28 21:17 ` Johannes Berg
2009-03-28 21:40 ` Luis R. Rodriguez
2009-03-23 16:28 ` [PATCH 8/8] mac80211/iwlwifi: move virtual A-MDPU queue bookkeeping to iwlwifi Johannes Berg
2009-03-28 5:04 ` Luis R. Rodriguez
2009-03-24 8:28 ` [PATCH 0/8] mac80211 aggregation improvements Johannes Berg
2009-03-24 16:13 ` Luis R. Rodriguez
2009-03-24 19:48 ` John W. Linville
2009-03-24 20:24 ` Johannes Berg
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20090323163053.073748867@sipsolutions.net \
--to=johannes@sipsolutions.net \
--cc=linux-wireless@vger.kernel.org \
--cc=linville@tuxdriver.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).