Skip to content

Commit

Permalink
rt2x00: fix possible memory corruption in case of invalid rxdesc.size
Browse files Browse the repository at this point in the history 
Sometimes rxdesc descriptor provided by hardware contains invalid
(random) data. For example rxdesc.size can be bigger than actual
size of the buffer. When this happen rt2x00crypto_rx_insert_iv()
corrupt memory doing memmove outside of buffer boundaries.

Signed-off-by: Stanislaw Gruszka <stf_xl@wp.pl>
Acked-by: Ivo van Doorn <IvDoorn@gmail.com>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
  • Loading branch information
Stanislaw Gruszka authored and John W. Linville committed Jun 22, 2011
1 parent 9c803a0 commit 7f503fc
Showing 1 changed file with 13 additions and 0 deletions.
13 changes: 13 additions & 0 deletions drivers/net/wireless/rt2x00/rt2x00dev.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -582,6 +582,18 @@ void rt2x00lib_rxdone(struct queue_entry *entry)
memset(&rxdesc, 0, sizeof(rxdesc));
rt2x00dev->ops->lib->fill_rxdone(entry, &rxdesc);

/*
* Check for valid size in case we get corrupted descriptor from
* hardware.
*/
if (unlikely(rxdesc.size == 0 ||
rxdesc.size > entry->queue->data_size)) {
WARNING(rt2x00dev, "Wrong frame size %d max %d.\n",
rxdesc.size, entry->queue->data_size);
dev_kfree_skb(entry->skb);
goto renew_skb;
}

/*
* The data behind the ieee80211 header must be
* aligned on a 4 byte boundary.
Expand Down Expand Up @@ -642,6 +654,7 @@ void rt2x00lib_rxdone(struct queue_entry *entry)

ieee80211_rx_ni(rt2x00dev->hw, entry->skb);

renew_skb:
/*
* Replace the skb with the freshly allocated one.
*/
Expand Down

0 comments on commit 7f503fc

Please sign in to comment.