From patchwork Thu Sep 29 19:40:54 2016 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Jes Sorensen X-Patchwork-Id: 9356961 X-Patchwork-Delegate: kvalo@adurom.com Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork.web.codeaurora.org (Postfix) with ESMTP id 1F7506077A for ; Thu, 29 Sep 2016 19:41:05 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 0F87928AD3 for ; Thu, 29 Sep 2016 19:41:05 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id 046C429C27; Thu, 29 Sep 2016 19:41:05 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-6.9 required=2.0 tests=BAYES_00,RCVD_IN_DNSWL_HI autolearn=ham version=3.3.1 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id A679328AD3 for ; Thu, 29 Sep 2016 19:41:04 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S933306AbcI2TlC (ORCPT ); Thu, 29 Sep 2016 15:41:02 -0400 Received: from mx1.redhat.com ([209.132.183.28]:41310 "EHLO mx1.redhat.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1755404AbcI2Tk5 (ORCPT ); Thu, 29 Sep 2016 15:40:57 -0400 Received: from int-mx13.intmail.prod.int.phx2.redhat.com (int-mx13.intmail.prod.int.phx2.redhat.com [10.5.11.26]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id 3648C6542B; Thu, 29 Sep 2016 19:40:56 +0000 (UTC) Received: from ultrasam.trained-monkey.org (dhcp-10-15-49-40.lga.redhat.com [10.15.49.40]) by int-mx13.intmail.prod.int.phx2.redhat.com (8.14.4/8.14.4) with ESMTP id u8TJet4u002522; Thu, 29 Sep 2016 15:40:55 -0400 Received: from carbonite.lga.redhat.com (localhost.localdomain [127.0.0.1]) by ultrasam.trained-monkey.org (Postfix) with ESMTP id 4C159183A4E20; Thu, 29 Sep 2016 15:40:55 -0400 (EDT) From: Jes.Sorensen@redhat.com To: linux-wireless@vger.kernel.org Cc: kvalo@codeaurora.org, Larry.Finger@lwfinger.net, stable@vger.kernel.org, Jes Sorensen Subject: [PATCH 1/2] rtl8xxxu: Fix memory leak in handling rxdesc16 packets Date: Thu, 29 Sep 2016 15:40:54 -0400 Message-Id: <1475178055-16924-2-git-send-email-Jes.Sorensen@redhat.com> In-Reply-To: <1475178055-16924-1-git-send-email-Jes.Sorensen@redhat.com> References: <1475178055-16924-1-git-send-email-Jes.Sorensen@redhat.com> X-Scanned-By: MIMEDefang 2.68 on 10.5.11.26 X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.5.110.39]); Thu, 29 Sep 2016 19:40:56 +0000 (UTC) Sender: linux-wireless-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-wireless@vger.kernel.org X-Virus-Scanned: ClamAV using ClamSMTP From: Jes Sorensen A device running without RX package aggregation could return more data in the USB packet than the actual network packet. In this case the could would clone the skb but then determine that that there was no packet to handle and exit without freeing the cloned skb first. This has so far only been observed with 8188eu devices, but could affect others. Signed-off-by: Jes Sorensen --- drivers/net/wireless/realtek/rtl8xxxu/rtl8xxxu_core.c | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/drivers/net/wireless/realtek/rtl8xxxu/rtl8xxxu_core.c b/drivers/net/wireless/realtek/rtl8xxxu/rtl8xxxu_core.c index b2d7f6e..a96ff17 100644 --- a/drivers/net/wireless/realtek/rtl8xxxu/rtl8xxxu_core.c +++ b/drivers/net/wireless/realtek/rtl8xxxu/rtl8xxxu_core.c @@ -5197,7 +5197,12 @@ int rtl8xxxu_parse_rxdesc16(struct rtl8xxxu_priv *priv, struct sk_buff *skb) pkt_offset = roundup(pkt_len + drvinfo_sz + desc_shift + sizeof(struct rtl8xxxu_rxdesc16), 128); - if (pkt_cnt > 1) + /* + * Only clone the skb if there's enough data at the end to + * at least cover the rx descriptor + */ + if (pkt_cnt > 1 && + urb_len > (pkt_offset + sizeof(struct rtl8xxxu_rxdesc16))) next_skb = skb_clone(skb, GFP_ATOMIC); rx_status = IEEE80211_SKB_RXCB(skb);