From patchwork Sat May 23 20:13:51 2015 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Haggai Eran X-Patchwork-Id: 6470731 X-Patchwork-Delegate: kvalo@adurom.com Return-Path: X-Original-To: patchwork-linux-wireless@patchwork.kernel.org Delivered-To: patchwork-parsemail@patchwork1.web.kernel.org Received: from mail.kernel.org (mail.kernel.org [198.145.29.136]) by patchwork1.web.kernel.org (Postfix) with ESMTP id C84D79F1C1 for ; Sat, 23 May 2015 20:14:28 +0000 (UTC) Received: from mail.kernel.org (localhost [127.0.0.1]) by mail.kernel.org (Postfix) with ESMTP id E366720520 for ; Sat, 23 May 2015 20:14:24 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.kernel.org (Postfix) with ESMTP id E52E3203AA for ; Sat, 23 May 2015 20:14:20 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S932465AbbEWUOT (ORCPT ); Sat, 23 May 2015 16:14:19 -0400 Received: from mail-wi0-f181.google.com ([209.85.212.181]:36768 "EHLO mail-wi0-f181.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S932397AbbEWUOS (ORCPT ); Sat, 23 May 2015 16:14:18 -0400 Received: by wizk4 with SMTP id k4so17076968wiz.1; Sat, 23 May 2015 13:14:16 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=from:to:cc:subject:date:message-id; bh=qFLEL8jK0cdPq1eeFBBHMVRK5G5A4ATYe5SJGyEF2dY=; b=fr+IjxzEsOCPFy7ppR2VxkduTf0NXFfICzG/xzMG12my54lpj9cbJFh39qVL3I97TD 29RH/gC9I1el+b5mE56KRnyHD5B2OzxX1zdf2xkjkIM0z2fT00HYxAHOemvNbD1PwbGX +wLTEJV8QJzPJBvSqqFBdRdL2X70JEQOa0mRbmazAyi8RB7z47yQW28l72aX7o7ES8cV yMBZZ9bynPrzh6lUGkBQioWj8Hma94z6cT3f8LlUvDHpWIT9cPKK8JuInm9A+E0TIkyA T0FH6tXzPseXAr98ASbFsvnU0ao9RAjIlq+eb7Y4cNFNlHjC1WCvKIdKklcQjunCB6Uo 7phA== X-Received: by 10.194.205.37 with SMTP id ld5mr26822864wjc.14.1432412056483; Sat, 23 May 2015 13:14:16 -0700 (PDT) Received: from localhost.localdomain ([46.121.82.195]) by mx.google.com with ESMTPSA id n8sm4327518wiy.19.2015.05.23.13.14.14 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-SHA bits=128/128); Sat, 23 May 2015 13:14:15 -0700 (PDT) From: Haggai Eran To: Larry Finger Cc: Haggai Eran , Florian Schilhabel , Greg Kroah-Hartman , linux-wireless@vger.kernel.org, Subject: [PATCH v1] staging: rtl8712: prevent buffer overrun in recvbuf2recvframe Date: Sat, 23 May 2015 23:13:51 +0300 Message-Id: <1432412031-12871-1-git-send-email-haggai.eran@gmail.com> X-Mailer: git-send-email 1.9.1 Sender: linux-wireless-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-wireless@vger.kernel.org X-Spam-Status: No, score=-6.8 required=5.0 tests=BAYES_00, DKIM_ADSP_CUSTOM_MED, DKIM_SIGNED, FREEMAIL_FROM, RCVD_IN_DNSWL_HI, T_DKIM_INVALID, T_RP_MATCHES_RCVD, UNPARSEABLE_RELAY autolearn=ham version=3.3.1 X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on mail.kernel.org X-Virus-Scanned: ClamAV using ClamSMTP With an RTL8191SU USB adaptor, sometimes the hints for a fragmented packet are set, but the packet length is too large. Allocate enough space to prevent memory corruption and a resulting kernel panic [1]. [1] http://www.spinics.net/lists/linux-wireless/msg136546.html Cc: Signed-off-by: Haggai Eran ACKed-by: Larry Finger --- Hi Larry, I've updated the patch to avoid truncating the packets. I'm keeping the minimal buffer of 1658 bytes in case some other device does rely on this defragmentation feature. Regards, Haggai drivers/staging/rtl8712/rtl8712_recv.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/drivers/staging/rtl8712/rtl8712_recv.c b/drivers/staging/rtl8712/rtl8712_recv.c index cd8b444..5542243 100644 --- a/drivers/staging/rtl8712/rtl8712_recv.c +++ b/drivers/staging/rtl8712/rtl8712_recv.c @@ -1056,7 +1056,8 @@ static int recvbuf2recvframe(struct _adapter *padapter, struct sk_buff *pskb) /* for first fragment packet, driver need allocate 1536 + * drvinfo_sz + RXDESC_SIZE to defrag packet. */ if ((mf == 1) && (frag == 0)) - alloc_sz = 1658;/*1658+6=1664, 1664 is 128 alignment.*/ + /*1658+6=1664, 1664 is 128 alignment.*/ + alloc_sz = max_t(u16, tmp_len, 1658); else alloc_sz = tmp_len; /* 2 is for IP header 4 bytes alignment in QoS packet case.