From patchwork Fri Nov 18 21:44:22 2016 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Jes Sorensen X-Patchwork-Id: 9437419 X-Patchwork-Delegate: kvalo@adurom.com Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork.web.codeaurora.org (Postfix) with ESMTP id 8F89660238 for ; Fri, 18 Nov 2016 21:44:42 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 807A7299DD for ; Fri, 18 Nov 2016 21:44:42 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id 754BF29A22; Fri, 18 Nov 2016 21:44:42 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-6.9 required=2.0 tests=BAYES_00,RCVD_IN_DNSWL_HI autolearn=ham version=3.3.1 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 1CFD6299DD for ; Fri, 18 Nov 2016 21:44:42 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1752864AbcKRVol (ORCPT ); Fri, 18 Nov 2016 16:44:41 -0500 Received: from mx1.redhat.com ([209.132.183.28]:60222 "EHLO mx1.redhat.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1752651AbcKRVoa (ORCPT ); Fri, 18 Nov 2016 16:44:30 -0500 Received: from int-mx10.intmail.prod.int.phx2.redhat.com (int-mx10.intmail.prod.int.phx2.redhat.com [10.5.11.23]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id 9FF0E80F93; Fri, 18 Nov 2016 21:44:29 +0000 (UTC) Received: from ultrasam.trained-monkey.org (ovpn-116-132.phx2.redhat.com [10.3.116.132]) by int-mx10.intmail.prod.int.phx2.redhat.com (8.14.4/8.14.4) with ESMTP id uAILiSOx018441; Fri, 18 Nov 2016 16:44:29 -0500 Received: from carbonite.redhat.com (localhost.localdomain [127.0.0.1]) by ultrasam.trained-monkey.org (Postfix) with ESMTP id 38EC618133D69; Fri, 18 Nov 2016 16:44:28 -0500 (EST) From: Jes.Sorensen@redhat.com To: linux-wireless@vger.kernel.org Cc: kvalo@codeaurora.org, Larry.Finger@lwfinger.net, Jes Sorensen Subject: [PATCH 1/7] rtl8xxxu: Fix memory leak in handling rxdesc16 packets Date: Fri, 18 Nov 2016 16:44:22 -0500 Message-Id: <1479505468-29383-2-git-send-email-Jes.Sorensen@redhat.com> In-Reply-To: <1479505468-29383-1-git-send-email-Jes.Sorensen@redhat.com> References: <1479505468-29383-1-git-send-email-Jes.Sorensen@redhat.com> X-Scanned-By: MIMEDefang 2.68 on 10.5.11.23 X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.5.110.27]); Fri, 18 Nov 2016 21:44:29 +0000 (UTC) Sender: linux-wireless-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-wireless@vger.kernel.org X-Virus-Scanned: ClamAV using ClamSMTP From: Jes Sorensen A device running without RX package aggregation could return more data in the USB packet than the actual network packet. In this case the could would clone the skb but then determine that that there was no packet to handle and exit without freeing the cloned skb first. This has so far only been observed with 8188eu devices, but could affect others. Signed-off-by: Jes Sorensen --- drivers/net/wireless/realtek/rtl8xxxu/rtl8xxxu_core.c | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/drivers/net/wireless/realtek/rtl8xxxu/rtl8xxxu_core.c b/drivers/net/wireless/realtek/rtl8xxxu/rtl8xxxu_core.c index b2d7f6e..a96ff17 100644 --- a/drivers/net/wireless/realtek/rtl8xxxu/rtl8xxxu_core.c +++ b/drivers/net/wireless/realtek/rtl8xxxu/rtl8xxxu_core.c @@ -5197,7 +5197,12 @@ int rtl8xxxu_parse_rxdesc16(struct rtl8xxxu_priv *priv, struct sk_buff *skb) pkt_offset = roundup(pkt_len + drvinfo_sz + desc_shift + sizeof(struct rtl8xxxu_rxdesc16), 128); - if (pkt_cnt > 1) + /* + * Only clone the skb if there's enough data at the end to + * at least cover the rx descriptor + */ + if (pkt_cnt > 1 && + urb_len > (pkt_offset + sizeof(struct rtl8xxxu_rxdesc16))) next_skb = skb_clone(skb, GFP_ATOMIC); rx_status = IEEE80211_SKB_RXCB(skb);