FEX-Emu/linux
1
0
Fork 0
mirror of https://github.com/FEX-Emu/linux.git synced 2024-12-30 13:38:40 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

wil6210: Sanity check for reported DMA length

Browse Source 
If Rx descriptor contains garbage, it is possible to access memory beyond
allocated buffer.

Check this condition and drop Rx if reported length is
unreasonable large

Signed-off-by: Vladimir Kondratiev <qca_vkondrat@qca.qualcomm.com>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
This commit is contained in:
Vladimir Kondratiev 2013-05-12 14:43:33 +03:00 committed by John W. Linville
parent 7e59444444
commit e270045b56
1 changed files with 6 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
drivers/net/wireless/ath/wil6210/txrx.c
View File

@ -349,7 +349,13 @@ static struct sk_buff *wil_vring_reap_rx(struct wil6210_priv *wil,
d1 = wil_skb_rxdesc(skb);
*d1 = *d;
wil_vring_advance_head(vring, 1);
dmalen = le16_to_cpu(d1->dma.length);
if (dmalen > sz) {
wil_err(wil, "Rx size too large: %d bytes!\n", dmalen);
kfree(skb);
return NULL;
}
skb_trim(skb, dmalen);
wil->stats.last_mcs_rx = wil_rxdesc_mcs(d1);
@ -362,8 +368,6 @@ static struct sk_buff *wil_vring_reap_rx(struct wil6210_priv *wil,
wil_hex_dump_txrx("Rx ", DUMP_PREFIX_NONE, 32, 4,
(const void *)d, sizeof(*d), false);
wil_vring_advance_head(vring, 1);
/* no extra checks if in sniffer mode */
if (ndev->type != ARPHRD_ETHER)
return skb;