summaryrefslogtreecommitdiffstats
path: root/drivers/atm
diff options
context:
space:
mode:
authorNathan Williams <nathan@traverse.com.au>2009-03-25 10:33:42 +0100
committerDavid Woodhouse <David.Woodhouse@intel.com>2009-03-25 12:17:49 +0100
commit78f857f265241dfa6f343d75b45e8b30935f71df (patch)
tree03795e32b4fdc4b484d17abd14d2ba736510c979 /drivers/atm
parentsolos: support new FPGA RAM layout (diff)
downloadlinux-78f857f265241dfa6f343d75b45e8b30935f71df.tar.xz
linux-78f857f265241dfa6f343d75b45e8b30935f71df.zip
solos: Check for rogue received packets
Sometimes there can be received packets with the size field set to 0xFFFF. This seems to only occur after an FPGA or firmware upgrade. This patch discards packets with an invalid size. Signed-off-by: Nathan Williams <nathan@traverse.com.au> Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
Diffstat (limited to 'drivers/atm')
-rw-r--r--drivers/atm/solos-pci.c4
1 files changed, 4 insertions, 0 deletions
diff --git a/drivers/atm/solos-pci.c b/drivers/atm/solos-pci.c
index bfef8d255811..6c828347c9cc 100644
--- a/drivers/atm/solos-pci.c
+++ b/drivers/atm/solos-pci.c
@@ -671,6 +671,10 @@ void solos_bh(unsigned long card_arg)
memcpy_fromio(header, RX_BUF(card, port), sizeof(*header));
size = le16_to_cpu(header->size);
+ if (size > (card->buffer_size - sizeof(*header))){
+ dev_warn(&card->dev->dev, "Invalid buffer size\n");
+ continue;
+ }
skb = alloc_skb(size + 1, GFP_ATOMIC);
if (!skb) {