• Ralf Baechle's avatar
    NET: Fix possible corruption in bpqether driver · 3eb00275
    Ralf Baechle authored
    The bpq ether driver is modifying the data art of the skb by first
    dropping the KISS byte (a command byte for the radio) then prepending the
    length + 4 of the remaining AX.25 packet to be transmitted as a little
    endian 16-bit number.  If the high byte of the length has a different
    value than the dropped KISS byte users of clones of the skb may observe
    this as corruption.  This was observed with by running listen(8) -a which
    uses a packet socket which clones transmit packets.  The corruption will
    then typically be displayed for as a KISS "TX Delay" command for AX.25
    packets in the range of 252..508 bytes or any other KISS command for
    yet larger packets.
    
    Fixed by using skb_cow to create a private copy should the skb be cloned.
    Using skb_cow also allows us to cleanup the old logic to ensure sufficient
    headroom in the skb.
    
    While at it, replace a return of 0 from bpq_xmit with the proper constant
    NETDEV_TX_OK which is now being used everywhere else in this function.
    
    Affected: all 2.2, 2.4 and 2.6 kernels.
    Signed-off-by: default avatarRalf Baechle <ralf@linux-mips.org>
    Reported-by: default avatarJann Traschewski <jann@gmx.de>
    Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
    3eb00275
bpqether.c 14.5 KB