mac80211: add skb length sanity checking

We just found a bug in zd1211rw where it would reject
packets in the ->tx() method but leave them modified,
which would cause retransmit attempts with completely
bogus skbs, eventually leading to a panic due to not
having enough headroom in those.

This patch adds a sanity check to mac80211 to catch
such driver mistakes; in this case we warn and drop
the skb.

Signed-off-by: Johannes Berg <johannes@sipsolutions.net>
Signed-off-by: John W. Linville <linville@tuxdriver.com>

diff --git a/net/mac80211/tx.c b/net/mac80211/tx.c
index b909e40..a0e00c6 100644 (file)
--- a/net/mac80211/tx.c
+++ b/net/mac80211/tx.c
@@ -1089,7 +1089,7 @@ static int __ieee80211_tx(struct ieee80211_local *local,
 {
        struct sk_buff *skb = *skbp, *next;
        struct ieee80211_tx_info *info;
-       int ret;
+       int ret, len;
        bool fragm = false;
 
        local->mdev->trans_start = jiffies;
@@ -1125,7 +1125,12 @@ static int __ieee80211_tx(struct ieee80211_local *local,
                }
 
                next = skb->next;
+               len = skb->len;
                ret = local->ops->tx(local_to_hw(local), skb);
+               if (WARN_ON(ret != NETDEV_TX_OK && skb->len != len)) {
+                       dev_kfree_skb(skb);
+                       ret = NETDEV_TX_OK;
+               }
                if (ret != NETDEV_TX_OK)
                        return IEEE80211_TX_AGAIN;
                *skbp = skb = next;