diff options
author | Nathan Williams <nathan@traverse.com.au> | 2009-03-25 20:33:42 +1100 |
---|---|---|
committer | David Woodhouse <David.Woodhouse@intel.com> | 2009-03-25 11:17:49 +0000 |
commit | 78f857f265241dfa6f343d75b45e8b30935f71df (patch) | |
tree | 03795e32b4fdc4b484d17abd14d2ba736510c979 | |
parent | 4dbedf43d26276f6d7c8c3146d0a5b2f0309d968 (diff) | |
download | op-kernel-dev-78f857f265241dfa6f343d75b45e8b30935f71df.zip op-kernel-dev-78f857f265241dfa6f343d75b45e8b30935f71df.tar.gz |
solos: Check for rogue received packets
Sometimes there can be received packets with the size field set to 0xFFFF.
This seems to only occur after an FPGA or firmware upgrade.
This patch discards packets with an invalid size.
Signed-off-by: Nathan Williams <nathan@traverse.com.au>
Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
-rw-r--r-- | drivers/atm/solos-pci.c | 4 |
1 files changed, 4 insertions, 0 deletions
diff --git a/drivers/atm/solos-pci.c b/drivers/atm/solos-pci.c index bfef8d2..6c82834 100644 --- a/drivers/atm/solos-pci.c +++ b/drivers/atm/solos-pci.c @@ -671,6 +671,10 @@ void solos_bh(unsigned long card_arg) memcpy_fromio(header, RX_BUF(card, port), sizeof(*header)); size = le16_to_cpu(header->size); + if (size > (card->buffer_size - sizeof(*header))){ + dev_warn(&card->dev->dev, "Invalid buffer size\n"); + continue; + } skb = alloc_skb(size + 1, GFP_ATOMIC); if (!skb) { |