mac80211: add skb length sanity checking We just found a bug in zd1211rw where it would reject packets in the ->tx() method but leave them modified, which would cause retransmit attempts with completely bogus skbs, eventually leading to a panic due to not having enough headroom in those. This patch adds a sanity check to mac80211 to catch such driver mistakes; in this case we warn and drop the skb. Signed-off-by: Johannes Berg <johannes@sipsolutions.net> Signed-off-by: John W. Linville <linville@tuxdriver.com>

commit: a220858d30604902f650074bfac5a7598bc97ea4 [log] [tgz]
author: Johannes Berg <johannes@sipsolutions.net> Mon Mar 23 17:28:40 2009 +0100
committer: John W. Linville <linville@tuxdriver.com> Fri Mar 27 20:13:22 2009 -0400
tree: 3a4ad6d80713953598f6f872103291e69cf1ac6b
parent: b1720231ca07dee3382980f3b25e6581bd2e54e9 [diff]
diff --git a/net/mac80211/tx.c b/net/mac80211/tx.c
index b909e40..a0e00c6 100644
--- a/net/mac80211/tx.c
+++ b/net/mac80211/tx.c

@@ -1089,7 +1089,7 @@
 {
 	struct sk_buff *skb = *skbp, *next;
 	struct ieee80211_tx_info *info;
-	int ret;
+	int ret, len;
 	bool fragm = false;
 
 	local->mdev->trans_start = jiffies;
@@ -1125,7 +1125,12 @@
 		}
 
 		next = skb->next;
+		len = skb->len;
 		ret = local->ops->tx(local_to_hw(local), skb);
+		if (WARN_ON(ret != NETDEV_TX_OK && skb->len != len)) {
+			dev_kfree_skb(skb);
+			ret = NETDEV_TX_OK;
+		}
 		if (ret != NETDEV_TX_OK)
 			return IEEE80211_TX_AGAIN;
 		*skbp = skb = next;
commit	a220858d30604902f650074bfac5a7598bc97ea4	[log] [tgz]
author	Johannes Berg <johannes@sipsolutions.net>	Mon Mar 23 17:28:40 2009 +0100
committer	John W. Linville <linville@tuxdriver.com>	Fri Mar 27 20:13:22 2009 -0400
tree	3a4ad6d80713953598f6f872103291e69cf1ac6b
parent	b1720231ca07dee3382980f3b25e6581bd2e54e9 [diff]