Re: [rt2x00-users] [PATCH] compat-wireless:rt2800usb: Added rx packet length validity check

linux-wireless.vger.kernel.org archive mirror
 help / color / mirror / Atom feed

From: Stanislaw Gruszka <sgruszka@redhat.com>
To: Gertjan van Wingerde <gwingerde@gmail.com>
Cc: Ivo Van Doorn <ivdoorn@gmail.com>,
	Sergei Poselenov <sposelenov@emcraft.com>,
	"users@rt2x00.serialmonkey.com" <users@rt2x00.serialmonkey.com>,
	"linux-wireless@vger.kernel.org" <linux-wireless@vger.kernel.org>,
	"Luis R. Rodriguez" <mcgrof@do-not-panic.com>
Subject: Re: [rt2x00-users] [PATCH] compat-wireless:rt2800usb: Added rx packet length validity check
Date: Wed, 22 Aug 2012 11:27:16 +0200	[thread overview]
Message-ID: <20120822092715.GC4959@redhat.com> (raw)
In-Reply-To: <A1D107E0-1E78-4123-88C1-9550064DC9AC@gmail.com>

On Tue, Aug 21, 2012 at 10:07:03PM +0200, Gertjan van Wingerde wrote:
> >>>> +     if (rx_pkt_len > entry->skb->len) {
> >>>> +             rxdesc->flags |= RX_FLAG_FAILED_FCS_CRC;
> >>>> +             goto procrxwi;
> >>> 
> >>> I would rather prefer something like
> >>> 
> >>> if (unlikely(rx_pkt_len == 0 || rx_pkt_len > entry->queue->data_size)) {
> >>>        /* Process error in rt2x00lib_rxdone() */
> >>>        rxdesc->size = rx_pkt_len;
> >>>        return;
> >>> }
> >> 
> >> But how do you know the packet is correct then?
> > Non zero rx_pkt_len smaller than data_size indicate correct package.
> 
> To be honest, I think the original approach of Sergei is better. Not touching rxdesc beyond setting the flag will ensure that rt2x00lib_rxdone will simply bounce the skb without handing an invalid packet over to mac80211. That said, it isn't necessary to set the flag. Just returning from the function is good enough.
> 
> However, the check that Sergei does is not correct either. The real check that should be done is checking whether the skb has enough data to hold both rx_pkt_len bytes + the size of the rxd, which is 1 word (4 bytes). If only rx_pkt_len are left we don't have an rxd, and is the usb packet invalid as well.

Yes, but there is also usb alignment on skb->len, so is better to use
queue->data_size to validate rx_pkt (data) length IMHO.

> >> Obviously something is wrong,
> >> so just resetting the rxdesc->size wouldn't be a solution right?
> > 
> > rt2x00lib_rxdone has rxdesc->size check too, if ->size is bad it 
> > prints warning, and requeue skb. 
> > 
> > Perhaps this could be coded in some cleaner way (avoid double check),
> > but basically this should do the job. 
> 
> As I mentioned above, simply bailing out if rt2800usb_fill_rxdone without doing anything (not even setting a flag) should do the trick and IMHO is the cleanest approach.

IIRC this is basically what I proposed, except without setting
rxdesc->size, unlikely() and rx_pkt_len == 0 check. It will work as
rxdesc->size will be 0. But I think it would be better, if WARNING on
rt2x00lib_rxdone() will print actual corrupted size instead of 0.
Having unlikely is good too - this must be unlikely situation.

BTW: would be good to fix reason of that corruption if possible
(as long this is not a H/W or F/W bug). But for now, let just
stop kernel crashing. Printing WARNING on this situation will
help to identify there is something wrong if someone will observe
performance problems or similar.

Thanks
Stanislaw

next prev parent reply	other threads:[~2012-08-22  9:27 UTC|newest]

Thread overview: 15+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2012-08-20 16:53 [PATCH] compat-wireless:rt2800usb: Added rx packet length validity check Sergei Poselenov
2012-08-21 11:43 ` [rt2x00-users] " Stanislaw Gruszka
2012-08-21 13:39   ` Ivo Van Doorn
2012-08-21 14:18     ` Stanislaw Gruszka
2012-08-21 20:07       ` Gertjan van Wingerde
2012-08-22  9:27         ` Stanislaw Gruszka [this message]
2012-08-22 20:41           ` Gertjan van Wingerde
2012-08-22 21:16             ` Stanislaw Gruszka
2012-08-23  5:46             ` Sergei Poselenov
2012-08-26 13:19             ` Sergei Poselenov
2012-09-02  9:14             ` [rt2x00-users] [PATCH V2]: rt2800usb: " Sergei Poselenov
2012-09-02 20:35               ` Ivo Van Doorn
2012-08-26 13:53   ` [rt2x00-users] [PATCH] compat-wireless:rt2800usb: " Sergei Poselenov
2012-08-26 13:56   ` [rt2x00-users] [PATCH] compat-wireless:rt2800usb: Fixed a typo Sergei Poselenov
2012-08-27  8:23     ` Ivo Van Doorn

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20120822092715.GC4959@redhat.com \
    --to=sgruszka@redhat.com \
    --cc=gwingerde@gmail.com \
    --cc=ivdoorn@gmail.com \
    --cc=linux-wireless@vger.kernel.org \
    --cc=mcgrof@do-not-panic.com \
    --cc=sposelenov@emcraft.com \
    --cc=users@rt2x00.serialmonkey.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).