From: Larry Finger <Larry.Finger@lwfinger.net>
To: Haggai Eran <haggai.eran@gmail.com>
Cc: linux-wireless@vger.kernel.org
Subject: Re: [PATCH] staging: rtl8712: prevent buffer overrun in recvbuf2recvframe
Date: Wed, 20 May 2015 11:39:29 -0500 [thread overview]
Message-ID: <555CB8C1.1040007@lwfinger.net> (raw)
In-Reply-To: <CAJ=9Czay5pbi6p+n8SxXaJsWG4JR2p_vteKYbLxvoxLVtPQPaQ@mail.gmail.com>
[-- Attachment #1: Type: text/plain, Size: 1157 bytes --]
On 05/20/2015 01:17 AM, Haggai Eran wrote:
> On May 19, 2015 08:47, "Haggai Eran" <haggai.eran@gmail.com
> <mailto:haggai.eran@gmail.com>> wrote:
> >
> > With an RTL8191SU USB adaptor, sometimes the hints for a fragmented
> > packet are set, but the packet length is too large. Truncate the packet
> > to prevent memory corruption.
> >
> > Signed-off-by: Haggai Eran <haggai.eran@gmail.com <mailto:haggai.eran@gmail.com>>
> > ---
> >
> > Hi,
> >
> > I think this solves the issue for me. I'll test it more thoroughly later. I
> > still don't know why a fragmented packet has such a large pkt_len value though.
> >
> > Thanks,
> > Haggai
> >
>
> I guess I was too quick with this patch. It prevents the kernel page faults, but
> with it I still see sometimes the connectivity disappear for a minute or two.
Is anything logged when that happens?
I'm still trying to see where that magic number of 1658 comes from, and how that
affects the RX buffer size.
When I unconditionally set alloc_sz to tmp_len as in the attached patch (I
remembered to refresh it this time), nothing bad has happened here yet. What
happens on your box?
Larry
[-- Attachment #2: rtl8712_prevent_buffer_overrun --]
[-- Type: text/plain, Size: 5012 bytes --]
X-Account-Key: account11
X-UIDL: GmailId14d6ab65e24957d3
X-Mozilla-Status: 0001
X-Mozilla-Status2: 00000000
X-Mozilla-Keys:
Delivered-To: larry.finger@gmail.com
Received: by 10.27.210.194 with SMTP id j185csp164052wlg;
Mon, 18 May 2015 22:47:26 -0700 (PDT)
X-Received: by 10.55.20.87 with SMTP id e84mr55051574qkh.43.1432014446155;
Mon, 18 May 2015 22:47:26 -0700 (PDT)
Return-Path: <haggai.eran@gmail.com>
Received: from atl4mhob18.myregisteredsite.com (atl4mhob18.myregisteredsite.com. [209.17.115.111])
by mx.google.com with ESMTP id 4si10409743qku.71.2015.05.18.22.47.25
for <larry.finger@gmail.com>;
Mon, 18 May 2015 22:47:26 -0700 (PDT)
Received-SPF: softfail (google.com: domain of transitioning haggai.eran@gmail.com does not designate 209.17.115.111 as permitted sender) client-ip=209.17.115.111;
Authentication-Results: mx.google.com;
spf=softfail (google.com: domain of transitioning haggai.eran@gmail.com does not designate 209.17.115.111 as permitted sender) smtp.mail=haggai.eran@gmail.com;
dkim=pass header.i=@gmail.com;
dmarc=pass (p=NONE dis=NONE) header.from=gmail.com
Received: from mail.hostingplatform.com ([10.30.71.46])
by atl4mhob18.myregisteredsite.com (8.14.4/8.14.4) with ESMTP id t4J5lMQg019795
for <larry.finger@gmail.com>; Tue, 19 May 2015 01:47:22 -0400
Received: (qmail 1567 invoked by uid 78); 19 May 2015 05:47:22 -0000
Delivered-To: lwfinger.net-Larry.Finger@lwfinger.net
Received: (qmail 1561 invoked by uid 0); 19 May 2015 05:47:22 -0000
Received: from unknown (HELO atl4mhib20.myregisteredsite.com) (209.17.115.155)
by 0 with SMTP; 19 May 2015 05:47:22 -0000
Received: from mail-wg0-f47.google.com (mail-wg0-f47.google.com [74.125.82.47])
by atl4mhib20.myregisteredsite.com (8.14.4/8.14.4) with ESMTP id t4J5lKf3002256
(version=TLSv1/SSLv3 cipher=AES128-GCM-SHA256 bits=128 verify=OK)
for <Larry.Finger@lwfinger.net>; Tue, 19 May 2015 01:47:21 -0400
Received: by wgbgq6 with SMTP id gq6so4593334wgb.3
for <Larry.Finger@lwfinger.net>; Mon, 18 May 2015 22:47:19 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=gmail.com; s=20120113;
h=from:to:cc:subject:date:message-id;
bh=oWBsgvRoLBpwQaZnGY5Ie4JVgHGwjAGe2u5YHbwsqwI=;
b=m2VDk+dk18/ma6Z2EVonUcvbcCDBNraJdiiDg1hfcJfGAjh0c4Bf/+KrETkghZ6MAO
WND9oBUqnpFCFYdSLtOQF2MsOXTknU1UayBFcDBTygc72n8Cz1xYQaFR9kwX+59ig5M6
L/RSy6+Ka8hqO7I7Bw9ha0oORt121owC/QIvLQCN4J+aeIfSQMj7IgaRYFq6UNY1sg7j
AlGGswwG0BA6T4kNb3eu9n1V+ENn4lc2qrmPRlucJXZyK7+WbB/VLmTc0yzjrb0q4Cw/
4dbCzegSVYYOwDG1FBMgygf94fyHx/VQ8Yn6GCsQ3ByJtLuJzXDwgjBJEAdVqQVIHI7Y
5MXg==
X-Received: by 10.180.230.199 with SMTP id ta7mr14748321wic.1.1432014439599;
Mon, 18 May 2015 22:47:19 -0700 (PDT)
Received: from localhost.localdomain ([46.121.82.195])
by mx.google.com with ESMTPSA id 9sm20018034wjr.11.2015.05.18.22.47.15
(version=TLSv1.2 cipher=ECDHE-RSA-AES128-SHA bits=128/128);
Mon, 18 May 2015 22:47:18 -0700 (PDT)
From: Haggai Eran <haggai.eran@gmail.com>
To: Larry Finger <Larry.Finger@lwfinger.net>
Cc: linux-wireless@vger.kernel.org, Haggai Eran <haggai.eran@gmail.com>
Subject: [PATCH] staging: rtl8712: prevent buffer overrun in recvbuf2recvframe
Date: Tue, 19 May 2015 08:47:24 +0300
Message-Id: <1432014444-29039-1-git-send-email-haggai.eran@gmail.com>
X-Mailer: git-send-email 1.9.1
X-SpamScore: -0.1
X-MailHub-Apparently-To: Larry.Finger@lwfinger.net
With an RTL8191SU USB adaptor, sometimes the hints for a fragmented
packet are set, but the packet length is too large. Truncate the packet
to prevent memory corruption.
Signed-off-by: Haggai Eran <haggai.eran@gmail.com>
---
Hi,
I think this solves the issue for me. I'll test it more thoroughly later. I
still don't know why a fragmented packet has such a large pkt_len value though.
Thanks,
Haggai
drivers/staging/rtl8712/rtl8712_recv.c | 6 +++++-
1 file changed, 5 insertions(+), 1 deletion(-)
Index: wireless-drivers-next/drivers/staging/rtl8712/rtl8712_recv.c
===================================================================
--- wireless-drivers-next.orig/drivers/staging/rtl8712/rtl8712_recv.c
+++ wireless-drivers-next/drivers/staging/rtl8712/rtl8712_recv.c
@@ -1053,12 +1053,7 @@ static int recvbuf2recvframe(struct _ada
precvframe->u.hdr.len = 0;
tmp_len = pkt_len + drvinfo_sz + RXDESC_SIZE;
pkt_offset = (u16)round_up(tmp_len, 128);
- /* for first fragment packet, driver need allocate 1536 +
- * drvinfo_sz + RXDESC_SIZE to defrag packet. */
- if ((mf == 1) && (frag == 0))
- alloc_sz = 1658;/*1658+6=1664, 1664 is 128 alignment.*/
- else
- alloc_sz = tmp_len;
+ alloc_sz = tmp_len;
/* 2 is for IP header 4 bytes alignment in QoS packet case.
* 4 is for skb->data 4 bytes alignment. */
alloc_sz += 6;
next prev parent reply other threads:[~2015-05-20 16:39 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-05-19 5:47 [PATCH] staging: rtl8712: prevent buffer overrun in recvbuf2recvframe Haggai Eran
2015-05-19 15:51 ` Larry Finger
2015-05-19 17:23 ` Haggai Eran
[not found] ` <CAJ=9Czay5pbi6p+n8SxXaJsWG4JR2p_vteKYbLxvoxLVtPQPaQ@mail.gmail.com>
2015-05-20 16:39 ` Larry Finger [this message]
2015-05-20 19:20 ` Haggai Eran
2015-05-23 17:24 ` Haggai Eran
2015-05-23 17:48 ` Larry Finger
2015-05-23 18:09 ` Haggai Eran
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=555CB8C1.1040007@lwfinger.net \
--to=larry.finger@lwfinger.net \
--cc=haggai.eran@gmail.com \
--cc=linux-wireless@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).