• hayeswang's avatar
    r8152: fix tx/rx memory overflow · 7937f9e5
    hayeswang authored
    The tx/rx would access the memory which is out of the desired range.
    Modify the method of checking the end of the memory to avoid it.
    
    For r8152_tx_agg_fill(), the variable remain may become negative.
    However, the declaration is unsigned, so the while loop wouldn't
    break when reaching the end of the desied memory. Although to change
    the declaration from unsigned to signed is enough to fix it, I also
    modify the checking method for safe. Replace
    
    		remain = rx_buf_sz - sizeof(*tx_desc) -
    			 (u32)((void *)tx_data - agg->head);
    
    with
    
    		remain = rx_buf_sz - (int)(tx_agg_align(tx_data) - agg->head);
    
    to make sure the variable remain is always positive. Then, the
    overflow wouldn't happen.
    
    For rx_bottom(), the rx_desc should not be used to calculate the
    packet length before making sure the rx_desc is in the desired range.
    Change the checking to two parts. First, check the descriptor is in
    the memory. The other, using the descriptor to find out the packet
    length and check if the packet is in the memory.
    Signed-off-by: default avatarHayes Wang <hayeswang@realtek.com>
    Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
    7937f9e5
r8152.c 50.5 KB