Currently, the length of USB messages sent from host to Wi-Fi dongle is
not checked. Without the check, we could crash the firmware.
The length limits are determined by _HIFusb_get_max_msg_len_patch()
in the firmware code, located in k2_HIF_usb_patch.c and HIF_usb_patch.c
of the open-ath9k-htc-firmware project. The limits are 512 and 1600
bytes for regout and Wi-Fi TX messages respectively.
I'm not sure if the firmware crash is due to buffer overflow if RXing
too long USB messages but the length limit is clear and verified.
Somebody knowing hardware internals could help.
We should try our best not to crash the firmware. Note that setting the
MTU limit may not work: monitor interfaces will ignore the limit.
So we just drop too long messages and give warning on such events.
How to reproduce a crash:
1. Insert a supported Wi-Fi card
2. Associate to an AP
3. Increase MTU of interface: # ip link set wlan0 mtu 2000
4. Generate some big packets: $ ping <gateway> -s 1550
5. The firmware should crash. If not, repeat step 4.
Tested on TP-LINK TL-WN722N v1(AR9271) and TL-WN821N v3(AR7010+AR9287).
Signed-off-by: Chien Wong <[email protected]>
---
drivers/net/wireless/ath/ath9k/hif_usb.c | 12 ++++++++++++
drivers/net/wireless/ath/ath9k/hif_usb.h | 3 +++
2 files changed, 15 insertions(+)
diff --git a/drivers/net/wireless/ath/ath9k/hif_usb.c b/drivers/net/wireless/ath/ath9k/hif_usb.c
index 0c7841f95228..caee35d59ba7 100644
--- a/drivers/net/wireless/ath/ath9k/hif_usb.c
+++ b/drivers/net/wireless/ath/ath9k/hif_usb.c
@@ -103,6 +103,11 @@ static int hif_usb_send_regout(struct hif_device_usb *hif_dev,
struct cmd_buf *cmd;
int ret = 0;
+ if (skb->len > MAX_USB_REG_OUT_PIPE_MSG_SIZE) {
+ dev_err(&hif_dev->udev->dev, "ath9k_htc: Too long regout msg\n");
+ return -EMSGSIZE;
+ }
+
urb = usb_alloc_urb(0, GFP_KERNEL);
if (urb == NULL)
return -ENOMEM;
@@ -381,6 +386,13 @@ static int hif_usb_send_tx(struct hif_device_usb *hif_dev, struct sk_buff *skb)
spin_lock_irqsave(&hif_dev->tx.tx_lock, flags);
+ if (skb->len > MAX_USB_WLAN_TX_PIPE_MSG_SIZE) {
+ spin_unlock_irqrestore(&hif_dev->tx.tx_lock, flags);
+ dev_warn_ratelimited(&hif_dev->udev->dev,
+ "ath9k_htc: Too long TX packet(len=%u)\n", skb->len);
+ return -EMSGSIZE;
+ }
+
if (hif_dev->tx.flags & HIF_USB_TX_STOP) {
spin_unlock_irqrestore(&hif_dev->tx.tx_lock, flags);
return -ENODEV;
diff --git a/drivers/net/wireless/ath/ath9k/hif_usb.h b/drivers/net/wireless/ath/ath9k/hif_usb.h
index b3e66b0485a5..f8fd78309829 100644
--- a/drivers/net/wireless/ath/ath9k/hif_usb.h
+++ b/drivers/net/wireless/ath/ath9k/hif_usb.h
@@ -50,6 +50,9 @@ extern int htc_use_dev_fw;
#define ATH_USB_RX_STREAM_MODE_TAG 0x4e00
#define ATH_USB_TX_STREAM_MODE_TAG 0x697e
+#define MAX_USB_REG_OUT_PIPE_MSG_SIZE 512
+#define MAX_USB_WLAN_TX_PIPE_MSG_SIZE 1600
+
/* FIXME: Verify these numbers (with Windows) */
#define MAX_TX_URB_NUM 8
#define MAX_TX_BUF_NUM 256
--
2.44.0
Chien Wong <[email protected]> writes:
> Currently, the length of USB messages sent from host to Wi-Fi dongle is
> not checked. Without the check, we could crash the firmware.
>
> The length limits are determined by _HIFusb_get_max_msg_len_patch()
> in the firmware code, located in k2_HIF_usb_patch.c and HIF_usb_patch.c
> of the open-ath9k-htc-firmware project. The limits are 512 and 1600
> bytes for regout and Wi-Fi TX messages respectively.
> I'm not sure if the firmware crash is due to buffer overflow if RXing
> too long USB messages but the length limit is clear and verified.
> Somebody knowing hardware internals could help.
>
> We should try our best not to crash the firmware. Note that setting the
> MTU limit may not work: monitor interfaces will ignore the limit.
> So we just drop too long messages and give warning on such events.
Silently dropping packets seems like a bad idea. If needed, we can have
a length check with a warning *in addition* to the MTU limit, but we
should definitely disallow the MTU change first...
-Toke