aboutsummaryrefslogtreecommitdiffstats
path: root/drivers/net/wimax
diff options
context:
space:
mode:
authorInaky Perez-Gonzalez <inaky@linux.intel.com>2009-05-20 17:16:05 -0700
committerInaky Perez-Gonzalez <inaky@linux.intel.com>2009-06-11 03:30:21 -0700
commitc56affafdd29eb9764b0e35e3434cc06f6bc3781 (patch)
treeb79de2da47cba80882ae85cf7f271cc7f574a27e /drivers/net/wimax
parent8593a1967fb9746d318dde88a0a39a36dbfc3445 (diff)
downloadkernel_samsung_crespo-c56affafdd29eb9764b0e35e3434cc06f6bc3781.zip
kernel_samsung_crespo-c56affafdd29eb9764b0e35e3434cc06f6bc3781.tar.gz
kernel_samsung_crespo-c56affafdd29eb9764b0e35e3434cc06f6bc3781.tar.bz2
wimax/i2400m: fix panic/warnings caused by missed check on empty TX message
In some situations, when a new TX message header is started, there might be no space for data payloads. In this case the message is left with zero payloads and the i2400m_tx_close() function has just to mark it as "to skip". If it tries to go ahead it will overwrite things because there is no space to add padding as defined by the bus-specific layer. This can cause buffer overruns and in some stress cases, panics. Found and diagnosed by Cindy H. Kao. Signed-off-by: Inaky Perez-Gonzalez <inaky@linux.intel.com>
Diffstat (limited to 'drivers/net/wimax')
-rw-r--r--drivers/net/wimax/i2400m/tx.c10
1 files changed, 9 insertions, 1 deletions
diff --git a/drivers/net/wimax/i2400m/tx.c b/drivers/net/wimax/i2400m/tx.c
index a635fd7..7c46c05 100644
--- a/drivers/net/wimax/i2400m/tx.c
+++ b/drivers/net/wimax/i2400m/tx.c
@@ -474,10 +474,18 @@ void i2400m_tx_close(struct i2400m *i2400m)
struct i2400m_msg_hdr *tx_msg_moved;
size_t aligned_size, padding, hdr_size;
void *pad_buf;
+ unsigned num_pls;
if (tx_msg->size & I2400M_TX_SKIP) /* a skipper? nothing to do */
goto out;
-
+ num_pls = le16_to_cpu(tx_msg->num_pls);
+ /* We can get this situation when a new message was started
+ * and there was no space to add payloads before hitting the
+ tail (and taking padding into consideration). */
+ if (num_pls == 0) {
+ tx_msg->size |= I2400M_TX_SKIP;
+ goto out;
+ }
/* Relocate the message header
*
* Find the current header size, align it to 16 and if we need