From 3c23a9d02b3d1d93640bc7c6b4a45a5036421493 Mon Sep 17 00:00:00 2001
From: Stanislaw Gruszka <stf_xl@wp.pl>
Date: Sun, 19 Jun 2011 19:46:02 +0200
Subject: [PATCH] --- yaml --- r: 255860 b: refs/heads/master c:
 7f503fc49f144bb509dbd33daf3426df3f176e6b h: refs/heads/master v: v3

---
 [refs]                                        |  2 +-
 trunk/drivers/net/wireless/rt2x00/rt2x00dev.c | 13 +++++++++++++
 2 files changed, 14 insertions(+), 1 deletion(-)

diff --git a/[refs] b/[refs]
index 8ab4a15fab4a..049d3668f3c3 100644
--- a/[refs]
+++ b/[refs]
@@ -1,2 +1,2 @@
 ---
-refs/heads/master: 9c803a03bc07553f8148d024c15c784b28c1d9ee
+refs/heads/master: 7f503fc49f144bb509dbd33daf3426df3f176e6b
diff --git a/trunk/drivers/net/wireless/rt2x00/rt2x00dev.c b/trunk/drivers/net/wireless/rt2x00/rt2x00dev.c
index 939821b4af2f..0955c941317f 100644
--- a/trunk/drivers/net/wireless/rt2x00/rt2x00dev.c
+++ b/trunk/drivers/net/wireless/rt2x00/rt2x00dev.c
@@ -582,6 +582,18 @@ void rt2x00lib_rxdone(struct queue_entry *entry)
 	memset(&rxdesc, 0, sizeof(rxdesc));
 	rt2x00dev->ops->lib->fill_rxdone(entry, &rxdesc);
 
+	/*
+	 * Check for valid size in case we get corrupted descriptor from
+	 * hardware.
+	 */
+	if (unlikely(rxdesc.size == 0 ||
+		     rxdesc.size > entry->queue->data_size)) {
+		WARNING(rt2x00dev, "Wrong frame size %d max %d.\n",
+			rxdesc.size, entry->queue->data_size);
+		dev_kfree_skb(entry->skb);
+		goto renew_skb;
+	}
+
 	/*
 	 * The data behind the ieee80211 header must be
 	 * aligned on a 4 byte boundary.
@@ -642,6 +654,7 @@ void rt2x00lib_rxdone(struct queue_entry *entry)
 
 	ieee80211_rx_ni(rt2x00dev->hw, entry->skb);
 
+renew_skb:
 	/*
 	 * Replace the skb with the freshly allocated one.
 	 */