From a5f40e177a978e8e3f2e9d6651e2d295a9b240af Mon Sep 17 00:00:00 2001 From: Robie Basak Date: Fri, 18 Jan 2008 23:58:44 -0800 Subject: [PATCH] --- yaml --- r: 79279 b: refs/heads/master c: 5d780cd6585d242d9592a479fe75a007fd75155d h: refs/heads/master i: 79277: 69a70f4819c84164f76476fb7b4f8155cf676533 79275: eb6e00d2412212da99773b3a3bb0b0597565cfe2 79271: 06225ff9286c3fd88ce367b2e33f006a2b56315b 79263: 9452601a52a9f39fa1618416f4cc34d55ee6f54b v: v3 --- [refs] | 2 +- trunk/net/irda/ircomm/ircomm_core.c | 12 ++++++++++++ trunk/net/irda/irlap_event.c | 13 +++++++++++++ 3 files changed, 26 insertions(+), 1 deletion(-) diff --git a/[refs] b/[refs] index d57d02d2a3d2..14192d987f2f 100644 --- a/[refs] +++ b/[refs] @@ -1,2 +1,2 @@ --- -refs/heads/master: 6d97b53e92af822890b87818c99820df47fc589b +refs/heads/master: 5d780cd6585d242d9592a479fe75a007fd75155d diff --git a/trunk/net/irda/ircomm/ircomm_core.c b/trunk/net/irda/ircomm/ircomm_core.c index 2d63fa8e1556..b825399fc160 100644 --- a/trunk/net/irda/ircomm/ircomm_core.c +++ b/trunk/net/irda/ircomm/ircomm_core.c @@ -362,6 +362,18 @@ void ircomm_process_data(struct ircomm_cb *self, struct sk_buff *skb) clen = skb->data[0]; + /* + * Input validation check: a stir4200/mcp2150 combinations sometimes + * results in frames with clen > remaining packet size. These are + * illegal; if we throw away just this frame then it seems to carry on + * fine + */ + if (unlikely(skb->len < (clen + 1))) { + IRDA_DEBUG(2, "%s() throwing away illegal frame\n", + __FUNCTION__ ); + return; + } + /* * If there are any data hiding in the control channel, we must * deliver it first. The side effect is that the control channel diff --git a/trunk/net/irda/irlap_event.c b/trunk/net/irda/irlap_event.c index 6d3aff862dc2..6af86eba7463 100644 --- a/trunk/net/irda/irlap_event.c +++ b/trunk/net/irda/irlap_event.c @@ -1199,6 +1199,19 @@ static int irlap_state_nrm_p(struct irlap_cb *self, IRLAP_EVENT event, switch (event) { case RECV_I_RSP: /* Optimize for the common case */ + if (unlikely(skb->len <= LAP_ADDR_HEADER + LAP_CTRL_HEADER)) { + /* + * Input validation check: a stir4200/mcp2150 + * combination sometimes results in an empty i:rsp. + * This makes no sense; we can just ignore the frame + * and send an rr:cmd immediately. This happens before + * changing nr or ns so triggers a retransmit + */ + irlap_wait_min_turn_around(self, &self->qos_tx); + irlap_send_rr_frame(self, CMD_FRAME); + /* Keep state */ + break; + } /* FIXME: must check for remote_busy below */ #ifdef CONFIG_IRDA_FAST_RR /*