diff options
author | Inaky Perez-Gonzalez <inaky@linux.intel.com> | 2009-05-20 17:16:05 -0700 |
---|---|---|
committer | Inaky Perez-Gonzalez <inaky@linux.intel.com> | 2009-06-11 03:30:21 -0700 |
commit | c56affafdd29eb9764b0e35e3434cc06f6bc3781 (patch) | |
tree | b79de2da47cba80882ae85cf7f271cc7f574a27e /drivers/net/wimax | |
parent | 8593a1967fb9746d318dde88a0a39a36dbfc3445 (diff) | |
download | kernel_samsung_crespo-c56affafdd29eb9764b0e35e3434cc06f6bc3781.zip kernel_samsung_crespo-c56affafdd29eb9764b0e35e3434cc06f6bc3781.tar.gz kernel_samsung_crespo-c56affafdd29eb9764b0e35e3434cc06f6bc3781.tar.bz2 |
wimax/i2400m: fix panic/warnings caused by missed check on empty TX message
In some situations, when a new TX message header is started, there
might be no space for data payloads. In this case the message is left
with zero payloads and the i2400m_tx_close() function has just to mark
it as "to skip". If it tries to go ahead it will overwrite things
because there is no space to add padding as defined by the
bus-specific layer. This can cause buffer overruns and in some stress
cases, panics.
Found and diagnosed by Cindy H. Kao.
Signed-off-by: Inaky Perez-Gonzalez <inaky@linux.intel.com>
Diffstat (limited to 'drivers/net/wimax')
-rw-r--r-- | drivers/net/wimax/i2400m/tx.c | 10 |
1 files changed, 9 insertions, 1 deletions
diff --git a/drivers/net/wimax/i2400m/tx.c b/drivers/net/wimax/i2400m/tx.c index a635fd7..7c46c05 100644 --- a/drivers/net/wimax/i2400m/tx.c +++ b/drivers/net/wimax/i2400m/tx.c @@ -474,10 +474,18 @@ void i2400m_tx_close(struct i2400m *i2400m) struct i2400m_msg_hdr *tx_msg_moved; size_t aligned_size, padding, hdr_size; void *pad_buf; + unsigned num_pls; if (tx_msg->size & I2400M_TX_SKIP) /* a skipper? nothing to do */ goto out; - + num_pls = le16_to_cpu(tx_msg->num_pls); + /* We can get this situation when a new message was started + * and there was no space to add payloads before hitting the + tail (and taking padding into consideration). */ + if (num_pls == 0) { + tx_msg->size |= I2400M_TX_SKIP; + goto out; + } /* Relocate the message header * * Find the current header size, align it to 16 and if we need |