If rx_len received in interface header from FW is more than
RX buffer size, skb_put for such length results into skb_panic.
Avoid this by not processing such packets. We just print a warning
for such packets and free skb.
Reviewed-by: Paul Stewart <[email protected]>
Signed-off-by: Avinash Patil <[email protected]>
Signed-off-by: Amitkumar Karwar <[email protected]>
Signed-off-by: Bing Zhao <[email protected]>
Signed-off-by: Marc Yang <[email protected]>
---
drivers/net/wireless/mwifiex/pcie.c | 20 ++++++++++++++------
1 file changed, 14 insertions(+), 6 deletions(-)
diff --git a/drivers/net/wireless/mwifiex/pcie.c b/drivers/net/wireless/mwifiex/pcie.c
index c16dd2c..fbb0550 100644
--- a/drivers/net/wireless/mwifiex/pcie.c
+++ b/drivers/net/wireless/mwifiex/pcie.c
@@ -1271,12 +1271,20 @@ static int mwifiex_pcie_process_recv_data(struct mwifiex_adapter *adapter)
*/
pkt_len = *((__le16 *)skb_data->data);
rx_len = le16_to_cpu(pkt_len);
- skb_put(skb_data, rx_len);
- dev_dbg(adapter->dev,
- "info: RECV DATA: Rd=%#x, Wr=%#x, Len=%d\n",
- card->rxbd_rdptr, wrptr, rx_len);
- skb_pull(skb_data, INTF_HEADER_LEN);
- mwifiex_handle_rx_packet(adapter, skb_data);
+ if (WARN_ON(rx_len <= INTF_HEADER_LEN ||
+ rx_len > MWIFIEX_RX_DATA_BUF_SIZE)) {
+ dev_err(adapter->dev,
+ "Invalid RX len %d, Rd=%#x, Wr=%#x\n",
+ rx_len, card->rxbd_rdptr, wrptr);
+ dev_kfree_skb_any(skb_data);
+ } else {
+ skb_put(skb_data, rx_len);
+ dev_dbg(adapter->dev,
+ "info: RECV DATA: Rd=%#x, Wr=%#x, Len=%d\n",
+ card->rxbd_rdptr, wrptr, rx_len);
+ skb_pull(skb_data, INTF_HEADER_LEN);
+ mwifiex_handle_rx_packet(adapter, skb_data);
+ }
skb_tmp = dev_alloc_skb(MWIFIEX_RX_DATA_BUF_SIZE);
if (!skb_tmp) {
--
1.8.1.4
This patch does not apply...
On Mon, Aug 18, 2014 at 02:07:10AM -0700, Avinash Patil wrote:
> If rx_len received in interface header from FW is more than
> RX buffer size, skb_put for such length results into skb_panic.
> Avoid this by not processing such packets. We just print a warning
> for such packets and free skb.
>
> Reviewed-by: Paul Stewart <[email protected]>
> Signed-off-by: Avinash Patil <[email protected]>
> Signed-off-by: Amitkumar Karwar <[email protected]>
> Signed-off-by: Bing Zhao <[email protected]>
> Signed-off-by: Marc Yang <[email protected]>
> ---
> drivers/net/wireless/mwifiex/pcie.c | 20 ++++++++++++++------
> 1 file changed, 14 insertions(+), 6 deletions(-)
>
> diff --git a/drivers/net/wireless/mwifiex/pcie.c b/drivers/net/wireless/mwifiex/pcie.c
> index c16dd2c..fbb0550 100644
> --- a/drivers/net/wireless/mwifiex/pcie.c
> +++ b/drivers/net/wireless/mwifiex/pcie.c
> @@ -1271,12 +1271,20 @@ static int mwifiex_pcie_process_recv_data(struct mwifiex_adapter *adapter)
> */
> pkt_len = *((__le16 *)skb_data->data);
> rx_len = le16_to_cpu(pkt_len);
> - skb_put(skb_data, rx_len);
> - dev_dbg(adapter->dev,
> - "info: RECV DATA: Rd=%#x, Wr=%#x, Len=%d\n",
> - card->rxbd_rdptr, wrptr, rx_len);
> - skb_pull(skb_data, INTF_HEADER_LEN);
> - mwifiex_handle_rx_packet(adapter, skb_data);
> + if (WARN_ON(rx_len <= INTF_HEADER_LEN ||
> + rx_len > MWIFIEX_RX_DATA_BUF_SIZE)) {
> + dev_err(adapter->dev,
> + "Invalid RX len %d, Rd=%#x, Wr=%#x\n",
> + rx_len, card->rxbd_rdptr, wrptr);
> + dev_kfree_skb_any(skb_data);
> + } else {
> + skb_put(skb_data, rx_len);
> + dev_dbg(adapter->dev,
> + "info: RECV DATA: Rd=%#x, Wr=%#x, Len=%d\n",
> + card->rxbd_rdptr, wrptr, rx_len);
> + skb_pull(skb_data, INTF_HEADER_LEN);
> + mwifiex_handle_rx_packet(adapter, skb_data);
> + }
>
> skb_tmp = dev_alloc_skb(MWIFIEX_RX_DATA_BUF_SIZE);
> if (!skb_tmp) {
> --
> 1.8.1.4
>
--
John W. Linville Someday the world will need a hero, and you
[email protected] might be all we have. Be ready.