Pileus Git - ~andy/linux/commit

author	hayeswang <hayeswang@realtek.com>
	Wed, 20 Nov 2013 09:30:54 +0000 (17:30 +0800)
committer	David S. Miller <davem@davemloft.net>
	Wed, 20 Nov 2013 20:09:41 +0000 (15:09 -0500)
commit	7937f9e5141c9d4864d399d91325605a35cd5831
tree	bfae2019d68b7a3bf74a1a3acf8e532728f21364	tree \| snapshot
parent	b4789b8e6be3151a955ade74872822f30e8cd914	commit \| diff

r8152: fix tx/rx memory overflow

The tx/rx would access the memory which is out of the desired range.
Modify the method of checking the end of the memory to avoid it.

For r8152_tx_agg_fill(), the variable remain may become negative.
However, the declaration is unsigned, so the while loop wouldn't
break when reaching the end of the desied memory. Although to change
the declaration from unsigned to signed is enough to fix it, I also
modify the checking method for safe. Replace

remain = rx_buf_sz - sizeof(*tx_desc) -
(u32)((void *)tx_data - agg->head);

with

remain = rx_buf_sz - (int)(tx_agg_align(tx_data) - agg->head);

to make sure the variable remain is always positive. Then, the
overflow wouldn't happen.

For rx_bottom(), the rx_desc should not be used to calculate the
packet length before making sure the rx_desc is in the desired range.
Change the checking to two parts. First, check the descriptor is in
the memory. The other, using the descriptor to find out the packet
length and check if the packet is in the memory.

Signed-off-by: Hayes Wang <hayeswang@realtek.com>
Signed-off-by: David S. Miller <davem@davemloft.net>