From: Chris Wright Date: Mon, 31 Oct 2005 20:33:55 +0000 (-0800) Subject: Add prism54 info leak from Roger While, fwd by jgarzik X-Git-Tag: v2.6.14.1~7 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=9f4fa965375ea4ee987c41f49cd6be73466b889d;p=thirdparty%2Fkernel%2Fstable-queue.git Add prism54 info leak from Roger While, fwd by jgarzik --- diff --git a/queue/prism54_frame_size.patch b/queue/prism54_frame_size.patch new file mode 100644 index 00000000000..1ca1ed673dc --- /dev/null +++ b/queue/prism54_frame_size.patch @@ -0,0 +1,46 @@ +From stable-bounces@linux.kernel.org Fri Oct 28 13:12:10 2005 +Date: Sat, 22 Oct 2005 11:01:02 +0200 +From: Roger While +To: netdev@vger.kernel.org +Cc: jgarzik@pobox.com +Subject: [PATCH 2.6.14-rc5] prism54 : Fix frame length + +prism54 is leaking information when passing transmits to the firmware. +There is no requirement to adjust the length to >= ETH_ZLEN. +Just pass the skb length (after possible adjustment). + +This should also be considered for 2.6.13 stable. + +Signed-off-by: Roger While +Acked-by: Jeff Garzik +Signed-off-by: Chris Wright +--- + + drivers/net/wireless/prism54/islpci_eth.c | 7 +------ + 1 files changed, 1 insertion(+), 6 deletions(-) + +Index: linux-2.6.14.y/drivers/net/wireless/prism54/islpci_eth.c +=================================================================== +--- linux-2.6.14.y.orig/drivers/net/wireless/prism54/islpci_eth.c ++++ linux-2.6.14.y/drivers/net/wireless/prism54/islpci_eth.c +@@ -97,12 +97,6 @@ islpci_eth_transmit(struct sk_buff *skb, + /* lock the driver code */ + spin_lock_irqsave(&priv->slock, flags); + +- /* determine the amount of fragments needed to store the frame */ +- +- frame_size = skb->len < ETH_ZLEN ? ETH_ZLEN : skb->len; +- if (init_wds) +- frame_size += 6; +- + /* check whether the destination queue has enough fragments for the frame */ + curr_frag = le32_to_cpu(cb->driver_curr_frag[ISL38XX_CB_TX_DATA_LQ]); + if (unlikely(curr_frag - priv->free_data_tx >= ISL38XX_CB_TX_QSIZE)) { +@@ -213,6 +207,7 @@ islpci_eth_transmit(struct sk_buff *skb, + /* store the skb address for future freeing */ + priv->data_low_tx[index] = skb; + /* set the proper fragment start address and size information */ ++ frame_size = skb->len; + fragment->size = cpu_to_le16(frame_size); + fragment->flags = cpu_to_le16(0); /* set to 1 if more fragments */ + fragment->address = cpu_to_le32(pci_map_address); diff --git a/queue/series b/queue/series new file mode 100644 index 00000000000..58b7404c699 --- /dev/null +++ b/queue/series @@ -0,0 +1 @@ +prism54_frame_size.patch