| Message ID | 1479505468-29383-2-git-send-email-Jes.Sorensen@redhat.com (mailing list archive) |
|---|---|
| State | Accepted |
| Commit | a0aba89763f863261609e3e6edff138e4114384f |
| Delegated to: | Kalle Valo |
| Headers | show |
Jes Sorensen <Jes.Sorensen@redhat.com> wrote: > From: Jes Sorensen <Jes.Sorensen@redhat.com> > > A device running without RX package aggregation could return more data > in the USB packet than the actual network packet. In this case the > could would clone the skb but then determine that that there was no > packet to handle and exit without freeing the cloned skb first. > > This has so far only been observed with 8188eu devices, but could > affect others. > > Signed-off-by: Jes Sorensen <Jes.Sorensen@redhat.com> 7 patches applied to wireless-drivers-next.git, thanks. a0aba89763f8 rtl8xxxu: Fix memory leak in handling rxdesc16 packets cf7cfef06462 rtl8xxxu: Fix big-endian problem reporting mactime b9af93551127 rtl8xxxu: Fix rtl8723bu driver reload issue 5d03f882c2fc rtl8xxxu: Fix rtl8192eu driver reload issue a748a11038f8 rtl8xxxu: Obtain RTS rates from mac80211 b4c3d9cfb607 rtl8xxxu: Pass tx_info to fill_txdesc in order to have access to retry count 13e1349aff82 rtl8xxxu: Fix non static symbol warning
diff --git a/drivers/net/wireless/realtek/rtl8xxxu/rtl8xxxu_core.c b/drivers/net/wireless/realtek/rtl8xxxu/rtl8xxxu_core.c index b2d7f6e..a96ff17 100644 --- a/drivers/net/wireless/realtek/rtl8xxxu/rtl8xxxu_core.c +++ b/drivers/net/wireless/realtek/rtl8xxxu/rtl8xxxu_core.c @@ -5197,7 +5197,12 @@ int rtl8xxxu_parse_rxdesc16(struct rtl8xxxu_priv *priv, struct sk_buff *skb) pkt_offset = roundup(pkt_len + drvinfo_sz + desc_shift + sizeof(struct rtl8xxxu_rxdesc16), 128); - if (pkt_cnt > 1) + /* + * Only clone the skb if there's enough data at the end to + * at least cover the rx descriptor + */ + if (pkt_cnt > 1 && + urb_len > (pkt_offset + sizeof(struct rtl8xxxu_rxdesc16))) next_skb = skb_clone(skb, GFP_ATOMIC); rx_status = IEEE80211_SKB_RXCB(skb);