Commit 6aecbba1 authored by Grant Grundler's avatar Grant Grundler Committed by David S. Miller

net: atlantic: add check for MAX_SKB_FRAGS

Enforce that the CPU can not get stuck in an infinite loop.
Reported-by: default avatarAashay Shringarpure <aashay@google.com>
Reported-by: default avatarYi Chou <yich@google.com>
Reported-by: default avatarShervin Oloumi <enlightened@google.com>
Signed-off-by: default avatarGrant Grundler <grundler@chromium.org>
Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
parent 79784d77
...@@ -363,6 +363,7 @@ int aq_ring_rx_clean(struct aq_ring_s *self, ...@@ -363,6 +363,7 @@ int aq_ring_rx_clean(struct aq_ring_s *self,
continue; continue;
if (!buff->is_eop) { if (!buff->is_eop) {
unsigned int frag_cnt = 0U;
buff_ = buff; buff_ = buff;
do { do {
bool is_rsc_completed = true; bool is_rsc_completed = true;
...@@ -371,6 +372,8 @@ int aq_ring_rx_clean(struct aq_ring_s *self, ...@@ -371,6 +372,8 @@ int aq_ring_rx_clean(struct aq_ring_s *self,
err = -EIO; err = -EIO;
goto err_exit; goto err_exit;
} }
frag_cnt++;
next_ = buff_->next, next_ = buff_->next,
buff_ = &self->buff_ring[next_]; buff_ = &self->buff_ring[next_];
is_rsc_completed = is_rsc_completed =
...@@ -378,7 +381,8 @@ int aq_ring_rx_clean(struct aq_ring_s *self, ...@@ -378,7 +381,8 @@ int aq_ring_rx_clean(struct aq_ring_s *self,
next_, next_,
self->hw_head); self->hw_head);
if (unlikely(!is_rsc_completed)) { if (unlikely(!is_rsc_completed) ||
frag_cnt > MAX_SKB_FRAGS) {
err = 0; err = 0;
goto err_exit; goto err_exit;
} }
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment