From 2ae23854dc0af617d9a0e3ab51a0cc51485ebbf2 Mon Sep 17 00:00:00 2001 From: Mattias Nissler Date: Sun, 9 Mar 2008 22:41:22 +0100 Subject: rt2x00: Don't use unitialized rxdesc->size rxdesc->size is unitialized before the desriptor has been read. Move the truncation of the sk buffer to the moment all variables have been initialized. Signed-off-by: Mattias Nissler Signed-off-by: Ivo van Doorn Signed-off-by: John W. Linville --- drivers/net/wireless/rt2x00/rt2500usb.c | 11 +++++++---- drivers/net/wireless/rt2x00/rt73usb.c | 11 +++++++---- 2 files changed, 14 insertions(+), 8 deletions(-) diff --git a/drivers/net/wireless/rt2x00/rt2500usb.c b/drivers/net/wireless/rt2x00/rt2500usb.c index 86cd9a5eee2..559131fc6d5 100644 --- a/drivers/net/wireless/rt2x00/rt2500usb.c +++ b/drivers/net/wireless/rt2x00/rt2500usb.c @@ -1123,13 +1123,10 @@ static void rt2500usb_fill_rxdone(struct queue_entry *entry, /* * Copy descriptor to the available headroom inside the skbuffer. - * Remove the original copy by trimming the skbuffer. */ skb_push(entry->skb, offset); memcpy(entry->skb->data, rxd, entry->queue->desc_size); rxd = (__le32 *)entry->skb->data; - skb_pull(entry->skb, offset); - skb_trim(entry->skb, rxdesc->size); /* * The descriptor is now aligned to 4 bytes and thus it is @@ -1154,12 +1151,18 @@ static void rt2500usb_fill_rxdone(struct queue_entry *entry, rxdesc->size = rt2x00_get_field32(word0, RXD_W0_DATABYTE_COUNT); rxdesc->my_bss = !!rt2x00_get_field32(word0, RXD_W0_MY_BSS); + /* + * Adjust the skb memory window to the frame boundaries. + */ + skb_pull(entry->skb, offset); + skb_trim(entry->skb, rxdesc->size); + /* * Set descriptor and data pointer. */ skbdesc->data = entry->skb->data; skbdesc->data_len = rxdesc->size; - skbdesc->desc = entry->skb->data - offset; + skbdesc->desc = rxd; skbdesc->desc_len = entry->queue->desc_size; } diff --git a/drivers/net/wireless/rt2x00/rt73usb.c b/drivers/net/wireless/rt2x00/rt73usb.c index a48c82f0921..468039f1bff 100644 --- a/drivers/net/wireless/rt2x00/rt73usb.c +++ b/drivers/net/wireless/rt2x00/rt73usb.c @@ -1376,13 +1376,10 @@ static void rt73usb_fill_rxdone(struct queue_entry *entry, /* * Copy descriptor to the available headroom inside the skbuffer. - * Remove the original copy by pulling the skbuffer. */ skb_push(entry->skb, offset); memcpy(entry->skb->data, rxd, entry->queue->desc_size); rxd = (__le32 *)entry->skb->data; - skb_pull(entry->skb, offset + entry->queue->desc_size); - skb_trim(entry->skb, rxdesc->size); /* * The descriptor is now aligned to 4 bytes and thus it is @@ -1404,12 +1401,18 @@ static void rt73usb_fill_rxdone(struct queue_entry *entry, rxdesc->size = rt2x00_get_field32(word0, RXD_W0_DATABYTE_COUNT); rxdesc->my_bss = !!rt2x00_get_field32(word0, RXD_W0_MY_BSS); + /* + * Adjust the skb memory window to the frame boundaries. + */ + skb_pull(entry->skb, offset + entry->queue->desc_size); + skb_trim(entry->skb, rxdesc->size); + /* * Set descriptor and data pointer. */ skbdesc->data = entry->skb->data; skbdesc->data_len = rxdesc->size; - skbdesc->desc = entry->skb->data - offset; + skbdesc->desc = rxd; skbdesc->desc_len = entry->queue->desc_size; } -- cgit v1.2.3