X-Account-Key: account11 X-UIDL: GmailId14d6ab65e24957d3 X-Mozilla-Status: 0001 X-Mozilla-Status2: 00000000 X-Mozilla-Keys: Delivered-To: larry.finger@gmail.com Received: by 10.27.210.194 with SMTP id j185csp164052wlg; Mon, 18 May 2015 22:47:26 -0700 (PDT) X-Received: by 10.55.20.87 with SMTP id e84mr55051574qkh.43.1432014446155; Mon, 18 May 2015 22:47:26 -0700 (PDT) Return-Path: Received: from atl4mhob18.myregisteredsite.com (atl4mhob18.myregisteredsite.com. [209.17.115.111]) by mx.google.com with ESMTP id 4si10409743qku.71.2015.05.18.22.47.25 for ; Mon, 18 May 2015 22:47:26 -0700 (PDT) Received-SPF: softfail (google.com: domain of transitioning haggai.eran@gmail.com does not designate 209.17.115.111 as permitted sender) client-ip=209.17.115.111; Authentication-Results: mx.google.com; spf=softfail (google.com: domain of transitioning haggai.eran@gmail.com does not designate 209.17.115.111 as permitted sender) smtp.mail=haggai.eran@gmail.com; dkim=pass header.i=@gmail.com; dmarc=pass (p=NONE dis=NONE) header.from=gmail.com Received: from mail.hostingplatform.com ([10.30.71.46]) by atl4mhob18.myregisteredsite.com (8.14.4/8.14.4) with ESMTP id t4J5lMQg019795 for ; Tue, 19 May 2015 01:47:22 -0400 Received: (qmail 1567 invoked by uid 78); 19 May 2015 05:47:22 -0000 Delivered-To: lwfinger.net-Larry.Finger@lwfinger.net Received: (qmail 1561 invoked by uid 0); 19 May 2015 05:47:22 -0000 Received: from unknown (HELO atl4mhib20.myregisteredsite.com) (209.17.115.155) by 0 with SMTP; 19 May 2015 05:47:22 -0000 Received: from mail-wg0-f47.google.com (mail-wg0-f47.google.com [74.125.82.47]) by atl4mhib20.myregisteredsite.com (8.14.4/8.14.4) with ESMTP id t4J5lKf3002256 (version=TLSv1/SSLv3 cipher=AES128-GCM-SHA256 bits=128 verify=OK) for ; Tue, 19 May 2015 01:47:21 -0400 Received: by wgbgq6 with SMTP id gq6so4593334wgb.3 for ; Mon, 18 May 2015 22:47:19 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=from:to:cc:subject:date:message-id; bh=oWBsgvRoLBpwQaZnGY5Ie4JVgHGwjAGe2u5YHbwsqwI=; b=m2VDk+dk18/ma6Z2EVonUcvbcCDBNraJdiiDg1hfcJfGAjh0c4Bf/+KrETkghZ6MAO WND9oBUqnpFCFYdSLtOQF2MsOXTknU1UayBFcDBTygc72n8Cz1xYQaFR9kwX+59ig5M6 L/RSy6+Ka8hqO7I7Bw9ha0oORt121owC/QIvLQCN4J+aeIfSQMj7IgaRYFq6UNY1sg7j AlGGswwG0BA6T4kNb3eu9n1V+ENn4lc2qrmPRlucJXZyK7+WbB/VLmTc0yzjrb0q4Cw/ 4dbCzegSVYYOwDG1FBMgygf94fyHx/VQ8Yn6GCsQ3ByJtLuJzXDwgjBJEAdVqQVIHI7Y 5MXg== X-Received: by 10.180.230.199 with SMTP id ta7mr14748321wic.1.1432014439599; Mon, 18 May 2015 22:47:19 -0700 (PDT) Received: from localhost.localdomain ([46.121.82.195]) by mx.google.com with ESMTPSA id 9sm20018034wjr.11.2015.05.18.22.47.15 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-SHA bits=128/128); Mon, 18 May 2015 22:47:18 -0700 (PDT) From: Haggai Eran To: Larry Finger Cc: linux-wireless@vger.kernel.org, Haggai Eran Subject: [PATCH] staging: rtl8712: prevent buffer overrun in recvbuf2recvframe Date: Tue, 19 May 2015 08:47:24 +0300 Message-Id: <1432014444-29039-1-git-send-email-haggai.eran@gmail.com> X-Mailer: git-send-email 1.9.1 X-SpamScore: -0.1 X-MailHub-Apparently-To: Larry.Finger@lwfinger.net With an RTL8191SU USB adaptor, sometimes the hints for a fragmented packet are set, but the packet length is too large. Truncate the packet to prevent memory corruption. Signed-off-by: Haggai Eran --- Hi, I think this solves the issue for me. I'll test it more thoroughly later. I still don't know why a fragmented packet has such a large pkt_len value though. Thanks, Haggai drivers/staging/rtl8712/rtl8712_recv.c | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) Index: wireless-drivers-next/drivers/staging/rtl8712/rtl8712_recv.c =================================================================== --- wireless-drivers-next.orig/drivers/staging/rtl8712/rtl8712_recv.c +++ wireless-drivers-next/drivers/staging/rtl8712/rtl8712_recv.c @@ -1053,12 +1053,7 @@ static int recvbuf2recvframe(struct _ada precvframe->u.hdr.len = 0; tmp_len = pkt_len + drvinfo_sz + RXDESC_SIZE; pkt_offset = (u16)round_up(tmp_len, 128); - /* for first fragment packet, driver need allocate 1536 + - * drvinfo_sz + RXDESC_SIZE to defrag packet. */ - if ((mf == 1) && (frag == 0)) - alloc_sz = 1658;/*1658+6=1664, 1664 is 128 alignment.*/ - else - alloc_sz = tmp_len; + alloc_sz = tmp_len; /* 2 is for IP header 4 bytes alignment in QoS packet case. * 4 is for skb->data 4 bytes alignment. */ alloc_sz += 6;