| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Tue, 28 Jun 2011 14:21:31 -0700
From: maksim.rayskiy@...il.com
To: netdev@...r.kernel.org
cc: "Maksim Rayskiy" <mrayskiy@...adcom.com>
Subject: [RFC PATCH] asix: drop rx skb if header length is invalid
From: Maksim Rayskiy <mrayskiy@...adcom.com>
Signed-off-by: Maksim Rayskiy <mrayskiy@...adcom.com>
---
I am using AX88772 usbnet dongle, and sometimes after system resume I am seeing
corrupt rx packets which generate infinite number of
asix_rx_fixup() Bad Header Length
messages.
Looking at asix_rx_fixup() I see that depending on what junk you get in skb you
may end up with never breaking the while loop. Would not it be safer to bail out
as soon as incorrect header length was detected?
drivers/net/usb/asix.c | 1 +
1 files changed, 1 insertions(+), 0 deletions(-)
diff --git a/drivers/net/usb/asix.c b/drivers/net/usb/asix.c
index 6998aa6..9d7a6ec 100644
--- a/drivers/net/usb/asix.c
+++ b/drivers/net/usb/asix.c
@@ -317,6 +317,7 @@ static int asix_rx_fixup(struct usbnet *dev, struct sk_buff *skb)
if ((short)(header & 0x0000ffff) !=
~((short)((header & 0xffff0000) >> 16))) {
netdev_err(dev->net, "asix_rx_fixup() Bad Header Length\n");
+ return 0;
}
/* get the packet length */
size = (u16) (header & 0x0000ffff);
--
1.7.4.1
--
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Powered by blists - more mailing lists