From: Mattias Nissler Date: Sun, 9 Mar 2008 21:41:22 +0000 (+0100) Subject: rt2x00: Don't use unitialized rxdesc->size X-Git-Tag: v2.6.26-rc1~1138^2~440 X-Git-Url: https://err.no/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=2ae23854dc0af617d9a0e3ab51a0cc51485ebbf2;p=linux-2.6 rt2x00: Don't use unitialized rxdesc->size rxdesc->size is unitialized before the desriptor has been read. Move the truncation of the sk buffer to the moment all variables have been initialized. Signed-off-by: Mattias Nissler Signed-off-by: Ivo van Doorn Signed-off-by: John W. Linville --- diff --git a/drivers/net/wireless/rt2x00/rt2500usb.c b/drivers/net/wireless/rt2x00/rt2500usb.c index 86cd9a5eee..559131fc6d 100644 --- a/drivers/net/wireless/rt2x00/rt2500usb.c +++ b/drivers/net/wireless/rt2x00/rt2500usb.c @@ -1123,13 +1123,10 @@ static void rt2500usb_fill_rxdone(struct queue_entry *entry, /* * Copy descriptor to the available headroom inside the skbuffer. - * Remove the original copy by trimming the skbuffer. */ skb_push(entry->skb, offset); memcpy(entry->skb->data, rxd, entry->queue->desc_size); rxd = (__le32 *)entry->skb->data; - skb_pull(entry->skb, offset); - skb_trim(entry->skb, rxdesc->size); /* * The descriptor is now aligned to 4 bytes and thus it is @@ -1154,12 +1151,18 @@ static void rt2500usb_fill_rxdone(struct queue_entry *entry, rxdesc->size = rt2x00_get_field32(word0, RXD_W0_DATABYTE_COUNT); rxdesc->my_bss = !!rt2x00_get_field32(word0, RXD_W0_MY_BSS); + /* + * Adjust the skb memory window to the frame boundaries. + */ + skb_pull(entry->skb, offset); + skb_trim(entry->skb, rxdesc->size); + /* * Set descriptor and data pointer. */ skbdesc->data = entry->skb->data; skbdesc->data_len = rxdesc->size; - skbdesc->desc = entry->skb->data - offset; + skbdesc->desc = rxd; skbdesc->desc_len = entry->queue->desc_size; } diff --git a/drivers/net/wireless/rt2x00/rt73usb.c b/drivers/net/wireless/rt2x00/rt73usb.c index a48c82f092..468039f1bf 100644 --- a/drivers/net/wireless/rt2x00/rt73usb.c +++ b/drivers/net/wireless/rt2x00/rt73usb.c @@ -1376,13 +1376,10 @@ static void rt73usb_fill_rxdone(struct queue_entry *entry, /* * Copy descriptor to the available headroom inside the skbuffer. - * Remove the original copy by pulling the skbuffer. */ skb_push(entry->skb, offset); memcpy(entry->skb->data, rxd, entry->queue->desc_size); rxd = (__le32 *)entry->skb->data; - skb_pull(entry->skb, offset + entry->queue->desc_size); - skb_trim(entry->skb, rxdesc->size); /* * The descriptor is now aligned to 4 bytes and thus it is @@ -1404,12 +1401,18 @@ static void rt73usb_fill_rxdone(struct queue_entry *entry, rxdesc->size = rt2x00_get_field32(word0, RXD_W0_DATABYTE_COUNT); rxdesc->my_bss = !!rt2x00_get_field32(word0, RXD_W0_MY_BSS); + /* + * Adjust the skb memory window to the frame boundaries. + */ + skb_pull(entry->skb, offset + entry->queue->desc_size); + skb_trim(entry->skb, rxdesc->size); + /* * Set descriptor and data pointer. */ skbdesc->data = entry->skb->data; skbdesc->data_len = rxdesc->size; - skbdesc->desc = entry->skb->data - offset; + skbdesc->desc = rxd; skbdesc->desc_len = entry->queue->desc_size; }