[kernel] fix buffer overflow in RTL8169 NIC driver
[openwrt/svn-archive/archive.git] / target / linux / generic-2.6 / patches-2.6.26 / 995-cve-2009-1389.patch
1 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1389
2
3 --- a/drivers/net/r8169.c
4 +++ b/drivers/net/r8169.c
5 @@ -81,7 +81,6 @@ static const int multicast_filter_limit
6 #define RX_DMA_BURST 6 /* Maximum PCI burst, '6' is 1024 */
7 #define TX_DMA_BURST 6 /* Maximum PCI burst, '6' is 1024 */
8 #define EarlyTxThld 0x3F /* 0x3F means NO early transmit */
9 -#define RxPacketMaxSize 0x3FE8 /* 16K - 1 - ETH_HLEN - VLAN - CRC... */
10 #define SafeMtu 0x1c20 /* ... actually life sucks beyond ~7k */
11 #define InterFrameGap 0x03 /* 3 means InterFrameGap = the shortest one */
12
13 @@ -1982,10 +1981,10 @@ static u16 rtl_rw_cpluscmd(void __iomem
14 return cmd;
15 }
16
17 -static void rtl_set_rx_max_size(void __iomem *ioaddr)
18 +static void rtl_set_rx_max_size(void __iomem *ioaddr, unsigned int rx_buf_sz)
19 {
20 /* Low hurts. Let's disable the filtering. */
21 - RTL_W16(RxMaxSize, 16383);
22 + RTL_W16(RxMaxSize, rx_buf_sz);
23 }
24
25 static void rtl8169_set_magic_reg(void __iomem *ioaddr, unsigned mac_version)
26 @@ -2032,7 +2031,7 @@ static void rtl_hw_start_8169(struct net
27
28 RTL_W8(EarlyTxThres, EarlyTxThld);
29
30 - rtl_set_rx_max_size(ioaddr);
31 + rtl_set_rx_max_size(ioaddr, tp->rx_buf_sz);
32
33 if ((tp->mac_version == RTL_GIGA_MAC_VER_01) ||
34 (tp->mac_version == RTL_GIGA_MAC_VER_02) ||
35 @@ -2096,7 +2095,7 @@ static void rtl_hw_start_8168(struct net
36
37 RTL_W8(EarlyTxThres, EarlyTxThld);
38
39 - rtl_set_rx_max_size(ioaddr);
40 + rtl_set_rx_max_size(ioaddr, tp->rx_buf_sz);
41
42 rtl_set_rx_tx_config_registers(tp);
43
44 @@ -2150,7 +2149,7 @@ static void rtl_hw_start_8101(struct net
45
46 RTL_W8(EarlyTxThres, EarlyTxThld);
47
48 - rtl_set_rx_max_size(ioaddr);
49 + rtl_set_rx_max_size(ioaddr, tp->rx_buf_sz);
50
51 tp->cp_cmd |= rtl_rw_cpluscmd(ioaddr) | PCIMulRW;
52