1 From 5214760261aead3d3546b594e5b7021514ef76d1 Mon Sep 17 00:00:00 2001
2 From: Jes Sorensen <Jes.Sorensen@redhat.com>
3 Date: Wed, 28 Sep 2016 14:48:51 -0400
4 Subject: [PATCH] rtl8xxxu: Fix memory leak in handling rxdesc16 packets
6 A device running without RX package aggregation could return more data
7 in the USB packet than the actual network packet. In this case the
8 could would clone the skb but then determine that that there was no
9 packet to handle and exit without freeing the cloned skb first.
11 This has so far only been observed with 8188eu devices, but could
14 Signed-off-by: Jes Sorensen <Jes.Sorensen@redhat.com>
16 drivers/net/wireless/realtek/rtl8xxxu/rtl8xxxu_core.c | 7 ++++++-
17 1 file changed, 6 insertions(+), 1 deletion(-)
19 --- a/drivers/net/wireless/realtek/rtl8xxxu/rtl8xxxu_core.c
20 +++ b/drivers/net/wireless/realtek/rtl8xxxu/rtl8xxxu_core.c
21 @@ -5296,7 +5296,12 @@ int rtl8xxxu_parse_rxdesc16(struct rtl8x
22 pkt_offset = roundup(pkt_len + drvinfo_sz + desc_shift +
23 sizeof(struct rtl8xxxu_rxdesc16), 128);
27 + * Only clone the skb if there's enough data at the end to
28 + * at least cover the rx descriptor
31 + urb_len > (pkt_offset + sizeof(struct rtl8xxxu_rxdesc16)))
32 next_skb = skb_clone(skb, GFP_ATOMIC);
34 rx_status = IEEE80211_SKB_RXCB(skb);