From patchwork Tue Jun 2 19:11:26 2015 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Jakub Kici?ski X-Patchwork-Id: 6530881 X-Patchwork-Delegate: kvalo@adurom.com Return-Path: X-Original-To: patchwork-linux-wireless@patchwork.kernel.org Delivered-To: patchwork-parsemail@patchwork1.web.kernel.org Received: from mail.kernel.org (mail.kernel.org [198.145.29.136]) by patchwork1.web.kernel.org (Postfix) with ESMTP id 23CBC9F1C1 for ; Tue, 2 Jun 2015 19:11:47 +0000 (UTC) Received: from mail.kernel.org (localhost [127.0.0.1]) by mail.kernel.org (Postfix) with ESMTP id 3EF86204CF for ; Tue, 2 Jun 2015 19:11:46 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.kernel.org (Postfix) with ESMTP id 55A932051F for ; Tue, 2 Jun 2015 19:11:45 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1751443AbbFBTLm (ORCPT ); Tue, 2 Jun 2015 15:11:42 -0400 Received: from mx4.wp.pl ([212.77.101.12]:9948 "EHLO mx4.wp.pl" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1750756AbbFBTLk (ORCPT ); Tue, 2 Jun 2015 15:11:40 -0400 Received: (wp-smtpd smtp.wp.pl 15248 invoked from network); 2 Jun 2015 21:11:38 +0200 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=wp.pl; s=1024a; t=1433272299; bh=2me6hHPhD50UxBP24rUGNVKs9SYpoP+raIzT7Skv/9c=; h=From:To:Cc:Subject; b=J/eRkzRMD7SaVcQ06ft7rlsAGjnaQZf3jeQmjK5tVagQ/1wn8fZCiTOGbRKnqqs34 7sgM9ycDVE9sIpkFYi3TjdmDlmHLY3JZuqLZMc8GcTRgbRj1RaNTxQuideifglCw2O M94JNh+vZ7FNCQy9rlbjB2kUESpSU/ucUNwmJtSA= Received: from 89-69-164-220.dynamic.chello.pl (HELO north.moorray.no-ip.org) (moorray3@[89.69.164.220]) (envelope-sender ) by smtp.wp.pl (WP-SMTPD) with ECDHE-RSA-AES256-GCM-SHA384 encrypted SMTP for ; 2 Jun 2015 21:11:38 +0200 Received: by north.moorray.no-ip.org (sSMTP sendmail emulation); Tue, 02 Jun 2015 21:11:38 +0200 From: Jakub Kicinski To: Kalle Valo Cc: linux-wireless , Jakub Kicinski Subject: [PATCH 2/4] mt7601u: watch out for invalid-length frames Date: Tue, 2 Jun 2015 21:11:26 +0200 Message-Id: <1433272288-6450-2-git-send-email-moorray3@wp.pl> X-Mailer: git-send-email 2.1.0 In-Reply-To: <1433272288-6450-1-git-send-email-moorray3@wp.pl> References: <1433272288-6450-1-git-send-email-moorray3@wp.pl> X-WP-DKIM-Status: good (id: wp.pl) X-WP-AV: skaner antywirusowy poczty Wirtualnej Polski S. A. X-WP-SPAM: NO 0000000 [YUNE] Sender: linux-wireless-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-wireless@vger.kernel.org X-Spam-Status: No, score=-6.8 required=5.0 tests=BAYES_00,DKIM_SIGNED, FREEMAIL_FROM,RCVD_IN_DNSWL_HI,T_DKIM_INVALID,T_RP_MATCHES_RCVD, UNPARSEABLE_RELAY autolearn=ham version=3.3.1 X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on mail.kernel.org X-Virus-Scanned: ClamAV using ClamSMTP From: Jakub Kicinski Users of older Ralink devices report that received frames sometimes have zero length. Watch out for that. Signed-off-by: Jakub Kicinski --- drivers/net/wireless/mediatek/mt7601u/dma.c | 14 ++++++++++++-- drivers/net/wireless/mediatek/mt7601u/mac.c | 8 ++++++-- 2 files changed, 18 insertions(+), 4 deletions(-) diff --git a/drivers/net/wireless/mediatek/mt7601u/dma.c b/drivers/net/wireless/mediatek/mt7601u/dma.c index 16df67b2e62c..7217da4f1543 100644 --- a/drivers/net/wireless/mediatek/mt7601u/dma.c +++ b/drivers/net/wireless/mediatek/mt7601u/dma.c @@ -37,16 +37,20 @@ mt7601u_rx_skb_from_seg(struct mt7601u_dev *dev, struct mt7601u_rxwi *rxwi, void *data, u32 seg_len, u32 truesize, struct page *p) { struct sk_buff *skb; - u32 true_len; - int hdr_len, copy, frag; + u32 true_len, hdr_len = 0, copy, frag; skb = alloc_skb(p ? 128 : seg_len, GFP_ATOMIC); if (!skb) return NULL; true_len = mt76_mac_process_rx(dev, skb, data, rxwi); + if (!true_len || true_len > seg_len) + goto bad_frame; hdr_len = ieee80211_get_hdrlen_from_buf(data, true_len); + if (!hdr_len) + goto bad_frame; + if (rxwi->rxinfo & cpu_to_le32(MT_RXINFO_L2PAD)) { memcpy(skb_put(skb, hdr_len), data, hdr_len); @@ -69,6 +73,12 @@ mt7601u_rx_skb_from_seg(struct mt7601u_dev *dev, struct mt7601u_rxwi *rxwi, } return skb; + +bad_frame: + dev_err_ratelimited(dev->dev, "Error: incorrect frame len:%u hdr:%u\n", + true_len, hdr_len); + dev_kfree_skb(skb); + return NULL; } static void mt7601u_rx_process_seg(struct mt7601u_dev *dev, u8 *data, diff --git a/drivers/net/wireless/mediatek/mt7601u/mac.c b/drivers/net/wireless/mediatek/mt7601u/mac.c index c161bcc6a7fa..7514bce1ac91 100644 --- a/drivers/net/wireless/mediatek/mt7601u/mac.c +++ b/drivers/net/wireless/mediatek/mt7601u/mac.c @@ -450,10 +450,14 @@ u32 mt76_mac_process_rx(struct mt7601u_dev *dev, struct sk_buff *skb, { struct ieee80211_rx_status *status = IEEE80211_SKB_RXCB(skb); struct mt7601u_rxwi *rxwi = rxi; - u32 ctl = le32_to_cpu(rxwi->ctl); + u32 len, ctl = le32_to_cpu(rxwi->ctl); u16 rate = le16_to_cpu(rxwi->rate); int rssi; + len = MT76_GET(MT_RXWI_CTL_MPDU_LEN, ctl); + if (len < 10) + return 0; + if (rxwi->rxinfo & cpu_to_le32(MT_RXINFO_DECRYPT)) { status->flag |= RX_FLAG_DECRYPTED; status->flag |= RX_FLAG_IV_STRIPPED | RX_FLAG_MMIC_STRIPPED; @@ -474,7 +478,7 @@ u32 mt76_mac_process_rx(struct mt7601u_dev *dev, struct sk_buff *skb, dev->avg_rssi = (dev->avg_rssi * 15) / 16 + (rssi << 8); spin_unlock_bh(&dev->con_mon_lock); - return MT76_GET(MT_RXWI_CTL_MPDU_LEN, ctl); + return len; } static enum mt76_cipher_type