From 7d6694053c642016ef9135a73a00e5623f5ad0d0 Mon Sep 17 00:00:00 2001
From: Sergei Poselenov <sposelenov@emcraft.com>
Date: Sun, 2 Sep 2012 13:14:32 +0400
Subject: [PATCH] --- yaml --- r: 322785 b: refs/heads/master c:
 efd5d6b03bd9c9e0df646c56fb5f4f3e25e5c1ac h: refs/heads/master i:   322783:
 a5ac17b3db9cd365b054f59766a05c8d51935f2a v: v3

---
 [refs]                                        |  2 +-
 trunk/drivers/net/wireless/rt2x00/rt2800usb.c | 10 +++++++++-
 trunk/drivers/net/wireless/rt2x00/rt2x00dev.c |  2 +-
 3 files changed, 11 insertions(+), 3 deletions(-)

diff --git a/[refs] b/[refs]
index 9726748b0fff..95a254b7cded 100644
--- a/[refs]
+++ b/[refs]
@@ -1,2 +1,2 @@
 ---
-refs/heads/master: a396e10019eaf3809b0219c966865aaafec12630
+refs/heads/master: efd5d6b03bd9c9e0df646c56fb5f4f3e25e5c1ac
diff --git a/trunk/drivers/net/wireless/rt2x00/rt2800usb.c b/trunk/drivers/net/wireless/rt2x00/rt2800usb.c
index 52a32b5baea0..6b4226b71618 100644
--- a/trunk/drivers/net/wireless/rt2x00/rt2800usb.c
+++ b/trunk/drivers/net/wireless/rt2x00/rt2800usb.c
@@ -667,8 +667,16 @@ static void rt2800usb_fill_rxdone(struct queue_entry *entry,
 	skb_pull(entry->skb, RXINFO_DESC_SIZE);
 
 	/*
-	 * FIXME: we need to check for rx_pkt_len validity
+	 * Check for rx_pkt_len validity. Return if invalid, leaving
+	 * rxdesc->size zeroed out by the upper level.
 	 */
+	if (unlikely(rx_pkt_len == 0 ||
+			rx_pkt_len > entry->queue->data_size)) {
+		ERROR(entry->queue->rt2x00dev,
+			"Bad frame size %d, forcing to 0\n", rx_pkt_len);
+		return;
+	}
+
 	rxd = (__le32 *)(entry->skb->data + rx_pkt_len);
 
 	/*
diff --git a/trunk/drivers/net/wireless/rt2x00/rt2x00dev.c b/trunk/drivers/net/wireless/rt2x00/rt2x00dev.c
index a6b88bd4a1a5..3f07e36f462b 100644
--- a/trunk/drivers/net/wireless/rt2x00/rt2x00dev.c
+++ b/trunk/drivers/net/wireless/rt2x00/rt2x00dev.c
@@ -629,7 +629,7 @@ void rt2x00lib_rxdone(struct queue_entry *entry, gfp_t gfp)
 	 */
 	if (unlikely(rxdesc.size == 0 ||
 		     rxdesc.size > entry->queue->data_size)) {
-		WARNING(rt2x00dev, "Wrong frame size %d max %d.\n",
+		ERROR(rt2x00dev, "Wrong frame size %d max %d.\n",
 			rxdesc.size, entry->queue->data_size);
 		dev_kfree_skb(entry->skb);
 		goto renew_skb;