From patchwork Fri Aug 7 15:33:31 2009 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: roel kluin X-Patchwork-Id: 30939 X-Patchwork-Delegate: davem@davemloft.net Return-Path: X-Original-To: patchwork-incoming@bilbo.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Received: from ozlabs.org (ozlabs.org [203.10.76.45]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client CN "mx.ozlabs.org", Issuer "CA Cert Signing Authority" (verified OK)) by bilbo.ozlabs.org (Postfix) with ESMTPS id 3AA34B7088 for ; Sat, 8 Aug 2009 01:30:10 +1000 (EST) Received: by ozlabs.org (Postfix) id 2F360DDD0C; Sat, 8 Aug 2009 01:30:10 +1000 (EST) Delivered-To: patchwork-incoming@ozlabs.org Received: from vger.kernel.org (vger.kernel.org [209.132.176.167]) by ozlabs.org (Postfix) with ESMTP id A0414DDD01 for ; Sat, 8 Aug 2009 01:30:09 +1000 (EST) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1752910AbZHGP37 (ORCPT ); Fri, 7 Aug 2009 11:29:59 -0400 Received: (majordomo@vger.kernel.org) by vger.kernel.org id S1752886AbZHGP37 (ORCPT ); Fri, 7 Aug 2009 11:29:59 -0400 Received: from mail-ew0-f214.google.com ([209.85.219.214]:59713 "EHLO mail-ew0-f214.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751667AbZHGP35 (ORCPT ); Fri, 7 Aug 2009 11:29:57 -0400 Received: by ewy10 with SMTP id 10so1616609ewy.37 for ; Fri, 07 Aug 2009 08:29:56 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:message-id:date:from :user-agent:mime-version:to:subject:content-type :content-transfer-encoding; bh=JBda5HFZfOfBK2VSObWXk4+IlGDXgbHdjzMyzuinhO0=; b=U7nuypq3G/31n9AscdFI+sSFWYbrNtVkad3HOiG9o6k8ad/kFkIDG1GTs+tXrttGuc YZCHqXMTEZGTUJfqsJXCs1lTZ3wMOlJnVTUcerq4w1pC9q2ds8AKp0JTW8vyOeECLEMs WMW8BEM+7eBp9ADWP4Necsm3/5xf84d/cSn28= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=message-id:date:from:user-agent:mime-version:to:subject :content-type:content-transfer-encoding; b=roCrZeIiGyKP7RxsqmzSkvTrjfsSEiXFwdo1DpWZPslD539STshtUMRYn4DGOD/PpX KhsM4M5AV2vnL2csDpAQaPN0ihS+nUzt5VvOTOgHZ2fxjqCllFZ+iwXaqWoXEAUE1XPu 5eweo6jwmLi9lDzCz3VMjpHRr8/1Yd1u/5MsA= Received: by 10.210.18.4 with SMTP id 4mr1122653ebr.56.1249658996691; Fri, 07 Aug 2009 08:29:56 -0700 (PDT) Received: from zoinx.mars (d133062.upc-d.chello.nl [213.46.133.62]) by mx.google.com with ESMTPS id 5sm3239729eyh.6.2009.08.07.08.29.56 (version=SSLv3 cipher=RC4-MD5); Fri, 07 Aug 2009 08:29:56 -0700 (PDT) Message-ID: <4A7C494B.2060204@gmail.com> Date: Fri, 07 Aug 2009 17:33:31 +0200 From: Roel Kluin User-Agent: Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.1b3pre) Gecko/20090513 Fedora/3.0-2.3.beta2.fc11 Thunderbird/3.0b2 MIME-Version: 1.0 To: netdev@vger.kernel.org, Andrew Morton , "David S. Miller" , n0-1@freewrt.org, florian@openwrt.org Subject: [PATCH] korina: Read buffer overflow Sender: netdev-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: netdev@vger.kernel.org If the loop breaks with an i of 0, then we read lp->rd_ring[-1]. Signed-off-by: Roel Kluin --- Should we clean up like this? please review -- To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html diff --git a/drivers/net/korina.c b/drivers/net/korina.c index b4cf602..b965b2b 100644 --- a/drivers/net/korina.c +++ b/drivers/net/korina.c @@ -754,7 +754,7 @@ static void korina_alloc_ring(struct net_device *dev) { struct korina_private *lp = netdev_priv(dev); struct sk_buff *skb; - int i; + int i, j; /* Initialize the transmit descriptors */ for (i = 0; i < KORINA_NUM_TDS; i++) { @@ -771,7 +771,7 @@ static void korina_alloc_ring(struct net_device *dev) for (i = 0; i < KORINA_NUM_RDS; i++) { skb = dev_alloc_skb(KORINA_RBSIZE + 2); if (!skb) - break; + goto err_free; skb_reserve(skb, 2); lp->rx_skb[i] = skb; lp->rd_ring[i].control = DMA_DESC_IOD | @@ -790,6 +790,12 @@ static void korina_alloc_ring(struct net_device *dev) lp->rx_chain_head = 0; lp->rx_chain_tail = 0; lp->rx_chain_status = desc_empty; +err_free: + for (j = 0; j < i; j++) { + lp->rd_ring[j].control = 0; + dev_kfree_skb_any(lp->rx_skb[j]); + lp->rx_skb[j] = NULL; + } } static void korina_free_ring(struct net_device *dev)