From: Stanislaw Gruszka <sgruszka@redhat.com>
To: Sergei Poselenov <sposelenov@emcraft.com>
Cc: users@rt2x00.serialmonkey.com, linux-wireless@vger.kernel.org,
"Luis R. Rodriguez" <mcgrof@do-not-panic.com>
Subject: Re: [rt2x00-users] [PATCH] compat-wireless:rt2800usb: Added rx packet length validity check
Date: Tue, 21 Aug 2012 13:43:44 +0200 [thread overview]
Message-ID: <20120821114343.GB2380@redhat.com> (raw)
In-Reply-To: <20120820205355.7ccc0450@emcraft.com>
On Mon, Aug 20, 2012 at 08:53:55PM +0400, Sergei Poselenov wrote:
> On our system (ARM Cortex-M3 SOC running linux-2.6.33 with
> compat-wireless-3.4-rc3-1 modules configured for rt2x00) frequent
Please remove compat-wireless reference here and in the subject.
> crashes were observed in rt2800usb module because of the invalid
> length of the received packet (3392, 46920...). This patch adds
> the sanity check on the packet legth. In case of the bad length,
> mark the packet as with CRC error.
>
> The fix was also tested on the latest
> compat-wireless-3.5.1-1-snpc.tar.bz2, applies cleanly.
>
> Cc: stable@vger.kernel.org
> Signed-off-by: Sergei Poselenov <sposelenov@emcraft.com>
> ---
> drivers/net/wireless/rt2x00/rt2800usb.c | 10 ++++++++--
> 1 files changed, 8 insertions(+), 2 deletions(-)
>
> diff --git a/usbwifi/compat-wireless-3.4-rc3-1/drivers/net/wireless/rt2x00/rt2800usb.c b/usbwifi/compat-wireless-3.4-rc3-1/drivers/net/wireless/rt2x00/rt2800usb.c
> index 001735f..6776ec8 100644
> --- a/usbwifi/compat-wireless-3.4-rc3-1/drivers/net/wireless/rt2x00/rt2800usb.c
> +++ b/usbwifi/compat-wireless-3.4-rc3-1/drivers/net/wireless/rt2x00/rt2800usb.c
> @@ -662,13 +662,18 @@ static void rt2800usb_fill_rxdone(struct queue_entry *entry,
> rx_pkt_len = rt2x00_get_field32(word, RXINFO_W0_USB_DMA_RX_PKT_LEN);
>
> /*
> - * Remove the RXINFO structure from the sbk.
> + * Remove the RXINFO structure from the skb.
> */
> skb_pull(entry->skb, RXINFO_DESC_SIZE);
Would be great if you could post this as separate patch.
> /*
> - * FIXME: we need to check for rx_pkt_len validity
> + * Check for rx_pkt_len validity, mark as failed.
> */
> + if (rx_pkt_len > entry->skb->len) {
> + rxdesc->flags |= RX_FLAG_FAILED_FCS_CRC;
> + goto procrxwi;
I would rather prefer something like
if (unlikely(rx_pkt_len == 0 || rx_pkt_len > entry->queue->data_size)) {
/* Process error in rt2x00lib_rxdone() */
rxdesc->size = rx_pkt_len;
return;
}
Thanks
Stanislaw
next prev parent reply other threads:[~2012-08-21 11:44 UTC|newest]
Thread overview: 15+ messages / expand[flat|nested] mbox.gz Atom feed top
2012-08-20 16:53 [PATCH] compat-wireless:rt2800usb: Added rx packet length validity check Sergei Poselenov
2012-08-21 11:43 ` Stanislaw Gruszka [this message]
2012-08-21 13:39 ` [rt2x00-users] " Ivo Van Doorn
2012-08-21 14:18 ` Stanislaw Gruszka
2012-08-21 20:07 ` Gertjan van Wingerde
2012-08-22 9:27 ` Stanislaw Gruszka
2012-08-22 20:41 ` Gertjan van Wingerde
2012-08-22 21:16 ` Stanislaw Gruszka
2012-08-23 5:46 ` Sergei Poselenov
2012-08-26 13:19 ` Sergei Poselenov
2012-09-02 9:14 ` [rt2x00-users] [PATCH V2]: rt2800usb: " Sergei Poselenov
2012-09-02 20:35 ` Ivo Van Doorn
2012-08-26 13:53 ` [rt2x00-users] [PATCH] compat-wireless:rt2800usb: " Sergei Poselenov
2012-08-26 13:56 ` [rt2x00-users] [PATCH] compat-wireless:rt2800usb: Fixed a typo Sergei Poselenov
2012-08-27 8:23 ` Ivo Van Doorn
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20120821114343.GB2380@redhat.com \
--to=sgruszka@redhat.com \
--cc=linux-wireless@vger.kernel.org \
--cc=mcgrof@do-not-panic.com \
--cc=sposelenov@emcraft.com \
--cc=users@rt2x00.serialmonkey.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).