summaryrefslogtreecommitdiff
path: root/drivers/net/wireless
diff options
context:
space:
mode:
authorVladimir Kondratiev <qca_vkondrat@qca.qualcomm.com>2013-05-12 14:43:33 +0300
committerJohn W. Linville <linville@tuxdriver.com>2013-05-22 15:05:35 -0400
commite270045b569cc7030abd29857f3a4e7906524ec0 (patch)
tree00e7334e6b5cb7b63f1c6ac26e91adf0ad62db0f /drivers/net/wireless
parent7e594444448f221cff66a9309cbfd17430e463a0 (diff)
wil6210: Sanity check for reported DMA length
If Rx descriptor contains garbage, it is possible to access memory beyond allocated buffer. Check this condition and drop Rx if reported length is unreasonable large Signed-off-by: Vladimir Kondratiev <qca_vkondrat@qca.qualcomm.com> Signed-off-by: John W. Linville <linville@tuxdriver.com>
Diffstat (limited to 'drivers/net/wireless')
-rw-r--r--drivers/net/wireless/ath/wil6210/txrx.c8
1 files changed, 6 insertions, 2 deletions
diff --git a/drivers/net/wireless/ath/wil6210/txrx.c b/drivers/net/wireless/ath/wil6210/txrx.c
index 6a20f0a18622..92f18215014c 100644
--- a/drivers/net/wireless/ath/wil6210/txrx.c
+++ b/drivers/net/wireless/ath/wil6210/txrx.c
@@ -349,7 +349,13 @@ static struct sk_buff *wil_vring_reap_rx(struct wil6210_priv *wil,
d1 = wil_skb_rxdesc(skb);
*d1 = *d;
+ wil_vring_advance_head(vring, 1);
dmalen = le16_to_cpu(d1->dma.length);
+ if (dmalen > sz) {
+ wil_err(wil, "Rx size too large: %d bytes!\n", dmalen);
+ kfree(skb);
+ return NULL;
+ }
skb_trim(skb, dmalen);
wil->stats.last_mcs_rx = wil_rxdesc_mcs(d1);
@@ -362,8 +368,6 @@ static struct sk_buff *wil_vring_reap_rx(struct wil6210_priv *wil,
wil_hex_dump_txrx("Rx ", DUMP_PREFIX_NONE, 32, 4,
(const void *)d, sizeof(*d), false);
- wil_vring_advance_head(vring, 1);
-
/* no extra checks if in sniffer mode */
if (ndev->type != ARPHRD_ETHER)
return skb;