Patchwork [hardy,CVE,2/2] b43: allocate receive buffers big enough for max frame len + offset

login
register
mail settings
Submitter Andy Whitcroft
Date Dec. 22, 2011, 3:06 p.m.
Message ID <1324566383-30777-3-git-send-email-apw@canonical.com>
Download mbox | patch
Permalink /patch/132859/
State New
Headers show

Comments

Andy Whitcroft - Dec. 22, 2011, 3:06 p.m.
From: "John W. Linville" <linville@tuxdriver.com>

Otherwise, skb_put inside of dma_rx can fail...

	https://bugzilla.kernel.org/show_bug.cgi?id=32042

Signed-off-by: John W. Linville <linville@tuxdriver.com>
Acked-by: Larry Finger <Larry.Finger@lwfinger.net>
Cc: stable@kernel.org

(backported from commit c85ce65ecac078ab1a1835c87c4a6319cf74660a)
CVE-2011-3359
BugLink: http://bugs.launchpad.net/bugs/905060
Signed-off-by: Andy Whitcroft <apw@canonical.com>
---
 drivers/net/wireless/b43/dma.c |    2 +-
 drivers/net/wireless/b43/dma.h |    2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

Patch

diff --git a/drivers/net/wireless/b43/dma.c b/drivers/net/wireless/b43/dma.c
index ddcc0c4..12b0759 100644
--- a/drivers/net/wireless/b43/dma.c
+++ b/drivers/net/wireless/b43/dma.c
@@ -1425,7 +1425,7 @@  static void dma_rx(struct b43_dmaring *ring, int *slot)
 			goto drop;
 		}
 	}
-	if (unlikely(len > ring->rx_buffersize)) {
+	if (unlikely(len + ring->frameoffset > ring->rx_buffersize)) {
 		/* The data did not fit into one descriptor buffer
 		 * and is split over multiple buffers.
 		 * This should never happen, as we try to allocate buffers
diff --git a/drivers/net/wireless/b43/dma.h b/drivers/net/wireless/b43/dma.h
index 3eed185..5bd2324 100644
--- a/drivers/net/wireless/b43/dma.h
+++ b/drivers/net/wireless/b43/dma.h
@@ -167,7 +167,7 @@  struct b43_dmadesc_generic {
 /* DMA engine tuning knobs */
 #define B43_TXRING_SLOTS		128
 #define B43_RXRING_SLOTS		64
-#define B43_DMA0_RX_BUFFERSIZE	(2304 + 100)
+#define B43_DMA0_RX_BUFFERSIZE		(B43_DMA0_RX_FRAMEOFFSET + IEEE80211_MAX_FRAME_LEN)
 #define B43_DMA3_RX_BUFFERSIZE	16
 
 #ifdef CONFIG_B43_DMA