public inbox for linux-kernel@vger.kernel.org
 help / color / mirror / Atom feed
From: Jakemuksen spammiosote <jhroska@byterapers.com>
To: linux-kernel@vger.kernel.org
Cc: dbrownell@users.sourceforge.net
Subject: [PATCH] usbnet.c, buf.overrun crash-bugfix, Kernel 2.6.12-rc1
Date: Thu, 24 Mar 2005 18:05:14 +0200 (EET)	[thread overview]
Message-ID: <Pine.LNX.4.61.0503241722160.30661@byterapers.com> (raw)

Atleast versions 2.6.5 - 2.6.12-rc1 crash if an USB device using usbnet 
sends oversized packet. Such packets occur most likely with broken
device. Here's a patch that throws away such packet, to keep the machine
from crashing. Hopefully this doesn't leave memory unreleased. If it does, 
it's still better than crashing as such oversized packets are really rare.

Signed-off-by: Jarkko Hakala <jhroska@byterapers.com>

diff -Nur linux-2.6.12-rc1-orig/drivers/usb/net/usbnet.c 
linux-2.6.12-rc1/drivers/usb/net/usbnet.c
--- linux-2.6.12-rc1-orig/drivers/usb/net/usbnet.c      2005-03-18 
03:34:13.000000000 +0200
+++ linux-2.6.12-rc1/drivers/usb/net/usbnet.c   2005-03-24 
16:46:08.000000000 +0200
@@ -2795,9 +2795,20 @@
         struct usbnet           *dev = entry->dev;
         int                     urb_status = urb->status;

-       skb_put (skb, urb->actual_length);
-       entry->state = rx_done;
-       entry->urb = NULL;
+       if (unlikely((skb->tail + urb->actual_length) > skb->end)) {
+               entry->state = rx_cleanup;
+               dev->stats.rx_errors++;
+               dev->stats.rx_length_errors++;
+               entry->urb = NULL;
+               printk(KERN_ERR
+                      "USB RX packet too long, discarded. "
+                      "Your slave device most likely is broken\n");
+               /* lets hope upper level protocols will recover */
+       } else {
+               skb_put(skb, urb->actual_length);
+               entry->state = rx_done;
+               entry->urb = NULL;
+       }

         switch (urb_status) {
             // success


             reply	other threads:[~2005-03-24 16:06 UTC|newest]

Thread overview: 4+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2005-03-24 16:05 Jakemuksen spammiosote [this message]
2005-03-24 16:57 ` [PATCH] usbnet.c, buf.overrun crash-bugfix, Kernel 2.6.12-rc1 David Brownell
2005-03-24 18:13   ` Jakemuksen spammiosote
2005-03-24 18:23     ` David Brownell

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=Pine.LNX.4.61.0503241722160.30661@byterapers.com \
    --to=jhroska@byterapers.com \
    --cc=dbrownell@users.sourceforge.net \
    --cc=linux-kernel@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox