--- /dev/null
+From 22692018b93f0782cda5a843cecfffda1854eb8d Mon Sep 17 00:00:00 2001
+From: Baruch Siach <baruch@tkos.co.il>
+Date: Sun, 4 Jan 2009 16:23:01 -0800
+Subject: enc28j60: fix RX buffer overflow
+
+From: Baruch Siach <baruch@tkos.co.il>
+
+commit 22692018b93f0782cda5a843cecfffda1854eb8d upstream.
+
+The enc28j60 driver doesn't check whether the length of the packet as reported
+by the hardware fits into the preallocated buffer. When stressed, the hardware
+may report insanely large packets even tough the "Receive OK" bit is set. Fix
+this.
+
+Signed-off-by: Baruch Siach <baruch@tkos.co.il>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ drivers/net/enc28j60.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+--- a/drivers/net/enc28j60.c
++++ b/drivers/net/enc28j60.c
+@@ -919,7 +919,7 @@ static void enc28j60_hw_rx(struct net_de
+ if (netif_msg_rx_status(priv))
+ enc28j60_dump_rsv(priv, __FUNCTION__, next_packet, len, rxstat);
+
+- if (!RSV_GETBIT(rxstat, RSV_RXOK)) {
++ if (!RSV_GETBIT(rxstat, RSV_RXOK) || len > MAX_FRAMELEN) {
+ if (netif_msg_rx_err(priv))
+ dev_err(&ndev->dev, "Rx Error (%04x)\n", rxstat);
+ ndev->stats.rx_errors++;
+@@ -927,6 +927,8 @@ static void enc28j60_hw_rx(struct net_de
+ ndev->stats.rx_crc_errors++;
+ if (RSV_GETBIT(rxstat, RSV_LENCHECKERR))
+ ndev->stats.rx_frame_errors++;
++ if (len > MAX_FRAMELEN)
++ ndev->stats.rx_over_errors++;
+ } else {
+ skb = dev_alloc_skb(len + NET_IP_ALIGN);
+ if (!skb) {
projects / thirdparty / kernel / stable-queue.git / commitdiff
