| From 1e54134ccad00f76ddf00f3e77db3dc8fdefbb47 Mon Sep 17 00:00:00 2001 |
| From: Jes Sorensen <Jes.Sorensen@redhat.com> |
| Date: Thu, 29 Sep 2016 15:40:54 -0400 |
| Subject: rtl8xxxu: Fix memory leak in handling rxdesc16 packets |
| |
| From: Jes Sorensen <Jes.Sorensen@redhat.com> |
| |
| commit 1e54134ccad00f76ddf00f3e77db3dc8fdefbb47 upstream. |
| |
| A device running without RX package aggregation could return more data |
| in the USB packet than the actual network packet. In this case we |
| could would clone the skb but then determine that that there was no |
| packet to handle and exit without freeing the cloned skb first. |
| |
| This has so far only been observed with 8188eu devices, but could |
| affect others. |
| |
| Signed-off-by: Jes Sorensen <Jes.Sorensen@redhat.com> |
| Signed-off-by: Kalle Valo <kvalo@codeaurora.org> |
| Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> |
| |
| --- |
| drivers/net/wireless/realtek/rtl8xxxu/rtl8xxxu_core.c | 7 ++++++- |
| 1 file changed, 6 insertions(+), 1 deletion(-) |
| |
| --- a/drivers/net/wireless/realtek/rtl8xxxu/rtl8xxxu_core.c |
| +++ b/drivers/net/wireless/realtek/rtl8xxxu/rtl8xxxu_core.c |
| @@ -5201,7 +5201,12 @@ int rtl8xxxu_parse_rxdesc16(struct rtl8x |
| pkt_offset = roundup(pkt_len + drvinfo_sz + desc_shift + |
| sizeof(struct rtl8xxxu_rxdesc16), 128); |
| |
| - if (pkt_cnt > 1) |
| + /* |
| + * Only clone the skb if there's enough data at the end to |
| + * at least cover the rx descriptor |
| + */ |
| + if (pkt_cnt > 1 && |
| + urb_len > (pkt_offset + sizeof(struct rtl8xxxu_rxdesc16))) |
| next_skb = skb_clone(skb, GFP_ATOMIC); |
| |
| rx_status = IEEE80211_SKB_RXCB(skb); |