From: "Luis R. Rodriguez" <lrodriguez@atheros.com>
To: <linux-wireless@vger.kernel.org>
Cc: "Luis R. Rodriguez" <lrodriguez@atheros.com>,
Stephen Chen <Stephen.Chen@atheros.com>,
Christian Lamparter <chunkeey@web.de>
Subject: [RFT] ar9170: check mpdu len on single mpdu before processing
Date: Thu, 13 Aug 2009 18:51:16 -0700 [thread overview]
Message-ID: <1250214676-10608-1-git-send-email-lrodriguez@atheros.com> (raw)
When ar9170 recieves a single MPDU in RX stream mode
we set the header and tail pointers for processing
but we never check if the MPDU will actually have
it given by the length passed. Should we have run into
this we would be chowing down on memory which may
not be ours.
Cc: Stephen Chen <Stephen.Chen@atheros.com>
Cc: Christian Lamparter <chunkeey@web.de>
Signed-off-by: Luis R. Rodriguez <lrodriguez@atheros.com>
---
I won't be able to test this for a bit, was reviewing
RX stream support and noticed this.
BTW Chris, Stephen points out we *can* use packet mode for
RX with Otus devices. I haven't yet checked if ar9170 supports
it but I think that's what the Windows driver uses. It seems
RX stream mode is used to reduce the number of interrupt and
can help on some platforms. The down side to RX stream mode
seems to be that it "may introduce buffer copy as a side effect",
not sure what that is though, Stephen, can you clarify?
drivers/net/wireless/ath/ar9170/main.c | 18 ++++++++++++++++++
1 files changed, 18 insertions(+), 0 deletions(-)
diff --git a/drivers/net/wireless/ath/ar9170/main.c b/drivers/net/wireless/ath/ar9170/main.c
index ea8c941..75c317d 100644
--- a/drivers/net/wireless/ath/ar9170/main.c
+++ b/drivers/net/wireless/ath/ar9170/main.c
@@ -1040,9 +1040,27 @@ static void ar9170_handle_mpdu(struct ar9170 *ar, u8 *buf, int len)
case AR9170_RX_STATUS_MPDU_SINGLE:
/* single mpdu - has plcp (head) and phy status (tail) */
+
+ if (unlikely(mpdu_len < sizeof(struct ar9170_rx_head))) {
+ if (ar9170_nag_limiter(ar))
+ printk(KERN_ERR "%s: rx'd single mpdu "
+ "with no header.\n",
+ wiphy_name(ar->hw->wiphy));
+ return;
+ }
+
head = (void *) buf;
mpdu_len -= sizeof(struct ar9170_rx_head);
+
+ if (unlikely(mpdu_len < sizeof(struct ar9170_rx_phystatus))) {
+ if (ar9170_nag_limiter(ar))
+ printk(KERN_ERR "%s: rx'd single mpdu"
+ "with no tail.\n",
+ wiphy_name(ar->hw->wiphy));
+ return ;
+ }
+
mpdu_len -= sizeof(struct ar9170_rx_phystatus);
buf += sizeof(struct ar9170_rx_head);
--
1.6.3.3
next reply other threads:[~2009-08-14 1:51 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2009-08-14 1:51 Luis R. Rodriguez [this message]
2009-08-14 2:41 ` [RFT] ar9170: check mpdu len on single mpdu before processing Luis R. Rodriguez
2009-08-14 9:21 ` Christian Lamparter
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1250214676-10608-1-git-send-email-lrodriguez@atheros.com \
--to=lrodriguez@atheros.com \
--cc=Stephen.Chen@atheros.com \
--cc=chunkeey@web.de \
--cc=linux-wireless@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).