From patchwork Thu Dec 22 15:06:22 2011 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Subject: [hardy, CVE, 2/2] b43: allocate receive buffers big enough for max frame len + offset From: Andy Whitcroft X-Patchwork-Id: 132859 Message-Id: <1324566383-30777-3-git-send-email-apw@canonical.com> To: kernel-team@lists.ubuntu.com Cc: Andy Whitcroft Date: Thu, 22 Dec 2011 15:06:22 +0000 From: "John W. Linville" Otherwise, skb_put inside of dma_rx can fail... https://bugzilla.kernel.org/show_bug.cgi?id=32042 Signed-off-by: John W. Linville Acked-by: Larry Finger Cc: stable@kernel.org (backported from commit c85ce65ecac078ab1a1835c87c4a6319cf74660a) CVE-2011-3359 BugLink: http://bugs.launchpad.net/bugs/905060 Signed-off-by: Andy Whitcroft --- drivers/net/wireless/b43/dma.c | 2 +- drivers/net/wireless/b43/dma.h | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/drivers/net/wireless/b43/dma.c b/drivers/net/wireless/b43/dma.c index ddcc0c4..12b0759 100644 --- a/drivers/net/wireless/b43/dma.c +++ b/drivers/net/wireless/b43/dma.c @@ -1425,7 +1425,7 @@ static void dma_rx(struct b43_dmaring *ring, int *slot) goto drop; } } - if (unlikely(len > ring->rx_buffersize)) { + if (unlikely(len + ring->frameoffset > ring->rx_buffersize)) { /* The data did not fit into one descriptor buffer * and is split over multiple buffers. * This should never happen, as we try to allocate buffers diff --git a/drivers/net/wireless/b43/dma.h b/drivers/net/wireless/b43/dma.h index 3eed185..5bd2324 100644 --- a/drivers/net/wireless/b43/dma.h +++ b/drivers/net/wireless/b43/dma.h @@ -167,7 +167,7 @@ struct b43_dmadesc_generic { /* DMA engine tuning knobs */ #define B43_TXRING_SLOTS 128 #define B43_RXRING_SLOTS 64 -#define B43_DMA0_RX_BUFFERSIZE (2304 + 100) +#define B43_DMA0_RX_BUFFERSIZE (B43_DMA0_RX_FRAMEOFFSET + IEEE80211_MAX_FRAME_LEN) #define B43_DMA3_RX_BUFFERSIZE 16 #ifdef CONFIG_B43_DMA