lk/linux-kernel-test
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

mac80211: add skb length sanity checking

Browse Source 
We just found a bug in zd1211rw where it would reject
packets in the ->tx() method but leave them modified,
which would cause retransmit attempts with completely
bogus skbs, eventually leading to a panic due to not
having enough headroom in those.

This patch adds a sanity check to mac80211 to catch
such driver mistakes; in this case we warn and drop
the skb.

Signed-off-by: Johannes Berg <johannes@sipsolutions.net>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
This commit is contained in:
Johannes Berg
2009-03-23 17:28:40 +01:00
committed by John W. Linville
parent b1720231ca
commit a220858d30
1 changed files with 6 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

7
net/mac80211/tx.c
View File

@@ -1089,7 +1089,7 @@ static int __ieee80211_tx(struct ieee80211_local *local,
{ {
struct sk_buff *skb = *skbp, *next; struct sk_buff *skb = *skbp, *next;
struct ieee80211_tx_info *info; struct ieee80211_tx_info *info;
int ret; int ret, len;
bool fragm = false; bool fragm = false;
local->mdev->trans_start = jiffies; local->mdev->trans_start = jiffies;
@@ -1125,7 +1125,12 @@ static int __ieee80211_tx(struct ieee80211_local *local,
} }
next = skb->next; next = skb->next;
len = skb->len;
ret = local->ops->tx(local_to_hw(local), skb); ret = local->ops->tx(local_to_hw(local), skb);
if (WARN_ON(ret != NETDEV_TX_OK && skb->len != len)) {
dev_kfree_skb(skb);
ret = NETDEV_TX_OK;
}
if (ret != NETDEV_TX_OK) if (ret != NETDEV_TX_OK)
return IEEE80211_TX_AGAIN; return IEEE80211_TX_AGAIN;
*skbp = skb = next; *skbp = skb = next;