From patchwork Tue Dec 30 13:55:39 2008
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Baruch Siach <baruch@tkos.co.il>
X-Patchwork-Id: 16053
X-Patchwork-Delegate: davem@davemloft.net
Return-Path: <netdev-owner@vger.kernel.org>
X-Original-To: patchwork-incoming@ozlabs.org
Delivered-To: patchwork-incoming@ozlabs.org
Received: from vger.kernel.org (vger.kernel.org [209.132.176.167])
	by ozlabs.org (Postfix) with ESMTP id 9E56ADDE07
	for <patchwork-incoming@ozlabs.org>;
	Wed, 31 Dec 2008 00:56:11 +1100 (EST)
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
	id S1752189AbYL3N4I (ORCPT <rfc822;patchwork-incoming@ozlabs.org>);
	Tue, 30 Dec 2008 08:56:08 -0500
Received: (majordomo@vger.kernel.org) by vger.kernel.org id S1752150AbYL3N4F
	(ORCPT <rfc822; netdev-outgoing>); Tue, 30 Dec 2008 08:56:05 -0500
Received: from tango.tkos.co.il ([62.219.50.35]:39711 "EHLO tango.tkos.co.il"
	rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP
	id S1752136AbYL3N4E (ORCPT <rfc822;netdev@vger.kernel.org>);
	Tue, 30 Dec 2008 08:56:04 -0500
Received: from taragon.tkos.co.il (guitar.tcltek.co.il [192.115.133.116])
	by tango.tkos.co.il (8.12.11.20060308/8.12.11) with ESMTP id
	mBUDtowJ001186; Tue, 30 Dec 2008 15:55:53 +0200
Received: from diamond.tkos.co.il (localhost [127.0.0.1])
	(authenticated bits=0)
	by taragon.tkos.co.il (8.13.8/8.13.8/Debian-3) with ESMTP id
	mBUDtcea025196; Tue, 30 Dec 2008 15:55:42 +0200
Date: Tue, 30 Dec 2008 15:55:39 +0200
From: Baruch Siach <baruch@tkos.co.il>
To: Claudio Lanconelli <lanconelli.claudio@eptar.com>
Cc: Jeff Garzik <jgarzik@pobox.com>, netdev@vger.kernel.org
Subject: [PATCH] enc28j60: fix RX buffer overflow
Message-ID: <20081230135539.GA10015@diamond.tkos.co.il>
MIME-Version: 1.0
Content-Disposition: inline
User-Agent: Mutt/1.5.18 (2008-05-17)
X-Virus-Scanned: ClamAV version 0.93.1,
	clamav-milter version 0.93.1 on tango.tkos.co.il
X-Virus-Status: Clean
X-Spam-Level: -2.312 () BAYES_00
X-Scanned-By: MIMEDefang 2.62 on 62.219.50.35
Sender: netdev-owner@vger.kernel.org
Precedence: bulk
List-ID: <netdev.vger.kernel.org>
X-Mailing-List: netdev@vger.kernel.org

The enc28j60 driver doesn't check whether the length of the packet as reported 
by the hardware fits into the preallocated buffer. When stressed, the hardware 
may report insanely large packets even tough the "Receive OK" bit is set. Fix 
this.

Signed-off-by: Baruch Siach <baruch@tkos.co.il>

--- drivers/net/enc28j60.c-git	2008-12-30 15:43:21.000000000 +0200
+++ drivers/net/enc28j60.c	2008-12-30 15:42:58.000000000 +0200
@@ -944,7 +944,7 @@ static void enc28j60_hw_rx(struct net_de
 	if (netif_msg_rx_status(priv))
 		enc28j60_dump_rsv(priv, __func__, next_packet, len, rxstat);
 
-	if (!RSV_GETBIT(rxstat, RSV_RXOK)) {
+	if (!RSV_GETBIT(rxstat, RSV_RXOK) || len > MAX_FRAMELEN) {
 		if (netif_msg_rx_err(priv))
 			dev_err(&ndev->dev, "Rx Error (%04x)\n", rxstat);
 		ndev->stats.rx_errors++;
@@ -952,6 +952,8 @@ static void enc28j60_hw_rx(struct net_de
 			ndev->stats.rx_crc_errors++;
 		if (RSV_GETBIT(rxstat, RSV_LENCHECKERR))
 			ndev->stats.rx_frame_errors++;
+		if (len > MAX_FRAMELEN)
+			ndev->stats.rx_over_errors++;
 	} else {
 		skb = dev_alloc_skb(len + NET_IP_ALIGN);
 		if (!skb) {