2016-10-06 10:49:31 +00:00
|
|
|
From 51be39337a10a8bf9d8ec65419e78b76bf5adf60 Mon Sep 17 00:00:00 2001
|
2016-09-29 07:48:09 +00:00
|
|
|
From: Jes Sorensen <Jes.Sorensen@redhat.com>
|
|
|
|
Date: Wed, 28 Sep 2016 14:48:51 -0400
|
|
|
|
Subject: [PATCH] rtl8xxxu: Fix memory leak in handling rxdesc16 packets
|
|
|
|
|
|
|
|
A device running without RX package aggregation could return more data
|
|
|
|
in the USB packet than the actual network packet. In this case the
|
|
|
|
could would clone the skb but then determine that that there was no
|
|
|
|
packet to handle and exit without freeing the cloned skb first.
|
|
|
|
|
|
|
|
This has so far only been observed with 8188eu devices, but could
|
|
|
|
affect others.
|
|
|
|
|
|
|
|
Signed-off-by: Jes Sorensen <Jes.Sorensen@redhat.com>
|
|
|
|
---
|
|
|
|
drivers/net/wireless/realtek/rtl8xxxu/rtl8xxxu_core.c | 7 ++++++-
|
|
|
|
1 file changed, 6 insertions(+), 1 deletion(-)
|
|
|
|
|
|
|
|
--- a/drivers/net/wireless/realtek/rtl8xxxu/rtl8xxxu_core.c
|
|
|
|
+++ b/drivers/net/wireless/realtek/rtl8xxxu/rtl8xxxu_core.c
|
2016-10-06 10:49:31 +00:00
|
|
|
@@ -5197,7 +5197,12 @@ int rtl8xxxu_parse_rxdesc16(struct rtl8x
|
2016-09-29 07:48:09 +00:00
|
|
|
pkt_offset = roundup(pkt_len + drvinfo_sz + desc_shift +
|
|
|
|
sizeof(struct rtl8xxxu_rxdesc16), 128);
|
|
|
|
|
|
|
|
- if (pkt_cnt > 1)
|
|
|
|
+ /*
|
|
|
|
+ * Only clone the skb if there's enough data at the end to
|
|
|
|
+ * at least cover the rx descriptor
|
|
|
|
+ */
|
|
|
|
+ if (pkt_cnt > 1 &&
|
|
|
|
+ urb_len > (pkt_offset + sizeof(struct rtl8xxxu_rxdesc16)))
|
|
|
|
next_skb = skb_clone(skb, GFP_ATOMIC);
|
|
|
|
|
|
|
|
rx_status = IEEE80211_SKB_RXCB(skb);
|