| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-Id: <1445302095-4695-15-git-send-email-lizf@kernel.org> Date: Tue, 20 Oct 2015 08:47:25 +0800 From: lizf@...nel.org To: stable@...r.kernel.org Cc: linux-kernel@...r.kernel.org, Haggai Eran <haggai.eran@...il.com>, Greg Kroah-Hartman <gregkh@...uxfoundation.org>, Zefan Li <lizefan@...wei.com> Subject: [PATCH 3.4 15/65] staging: rtl8712: prevent buffer overrun in recvbuf2recvframe From: Haggai Eran <haggai.eran@...il.com> 3.4.110-rc1 review patch. If anyone has any objections, please let me know. ------------------ commit cab462140f8a183e3cca0b51c8b59ef715cb6148 upstream. With an RTL8191SU USB adaptor, sometimes the hints for a fragmented packet are set, but the packet length is too large. Allocate enough space to prevent memory corruption and a resulting kernel panic [1]. [1] http://www.spinics.net/lists/linux-wireless/msg136546.html Signed-off-by: Haggai Eran <haggai.eran@...il.com> ACKed-by: Larry Finger <Larry.Finger@...inger.net> Signed-off-by: Greg Kroah-Hartman <gregkh@...uxfoundation.org> Signed-off-by: Zefan Li <lizefan@...wei.com> --- drivers/staging/rtl8712/rtl8712_recv.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/drivers/staging/rtl8712/rtl8712_recv.c b/drivers/staging/rtl8712/rtl8712_recv.c index 887a807..549b8ab 100644 --- a/drivers/staging/rtl8712/rtl8712_recv.c +++ b/drivers/staging/rtl8712/rtl8712_recv.c @@ -1074,7 +1074,8 @@ static int recvbuf2recvframe(struct _adapter *padapter, struct sk_buff *pskb) /* for first fragment packet, driver need allocate 1536 + * drvinfo_sz + RXDESC_SIZE to defrag packet. */ if ((mf == 1) && (frag == 0)) - alloc_sz = 1658;/*1658+6=1664, 1664 is 128 alignment.*/ + /*1658+6=1664, 1664 is 128 alignment.*/ + alloc_sz = max_t(u16, tmp_len, 1658); else alloc_sz = tmp_len; /* 2 is for IP header 4 bytes alignment in QoS packet case. -- 1.9.1 -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists