From: Ivan Vecera <ivecera@redhat.com>
Date: Tue, 16 Jun 2009 10:08:01 +0200
Subject: [net] r8169: fix crash when large packets are received
Message-id: 1245139681-8310-1-git-send-email-ivecera@redhat.com
O-Subject: [RHEL5.4 PATCH] [net] r8169: fix crash when large packets are received
Bugzilla: 504732
RH-Acked-by: Michal Schmidt <mschmidt@redhat.com>
RH-Acked-by: Jiri Pirko <jpirko@redhat.com>
RH-Acked-by: Rik van Riel <riel@redhat.com>
RH-Acked-by: Jerome Marchand <jmarchan@redhat.com>
CVE: CVE-2009-1389

BZs:
#504732 - CVE-2009-1389 kernel: r8169: fix crash when large packets are received

Description:
A large packet could crash a machine with RTL8169 based NIC. The driver
informs NIC that frames up to 16383 bytes can be received but provides
RX ring allocated with smaller sizes (1536 bytes for 1500 MTU).
When a frame larger than what was allocated by driver is received, DMA
transfert can occurs past the end of buffer and corrupt kernel memory.
The NIC should know the real maximum frame size.

Upstream commits:
http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=fdd7b4c3302c93f6833e338903ea77245eb510b4

Signed-off-by: Ivan Vecera <ivecera@redhat.com>

diff --git a/drivers/net/r8169.c b/drivers/net/r8169.c
index a6020dd..48ca235 100644
--- a/drivers/net/r8169.c
+++ b/drivers/net/r8169.c
@@ -67,7 +67,6 @@ static const int multicast_filter_limit = 32;
 #define RX_DMA_BURST	6	/* Maximum PCI burst, '6' is 1024 */
 #define TX_DMA_BURST	6	/* Maximum PCI burst, '6' is 1024 */
 #define EarlyTxThld	0x3F	/* 0x3F means NO early transmit */
-#define RxPacketMaxSize	0x3FE8	/* 16K - 1 - ETH_HLEN - VLAN - CRC... */
 #define SafeMtu		0x1c20	/* ... actually life sucks beyond ~7k */
 #define InterFrameGap	0x03	/* 3 means InterFrameGap = the shortest one */
 
@@ -2345,10 +2344,10 @@ static u16 rtl_rw_cpluscmd(void __iomem *ioaddr)
 	return cmd;
 }
 
-static void rtl_set_rx_max_size(void __iomem *ioaddr)
+static void rtl_set_rx_max_size(void __iomem *ioaddr, unsigned int rx_buf_sz)
 {
 	/* Low hurts. Let's disable the filtering. */
-	RTL_W16(RxMaxSize, 16383);
+	RTL_W16(RxMaxSize, rx_buf_sz);
 }
 
 static void rtl8169_set_magic_reg(void __iomem *ioaddr, unsigned mac_version)
@@ -2395,7 +2394,7 @@ static void rtl_hw_start_8169(struct net_device *dev)
 
 	RTL_W8(EarlyTxThres, EarlyTxThld);
 
-	rtl_set_rx_max_size(ioaddr);
+	rtl_set_rx_max_size(ioaddr, tp->rx_buf_sz);
 
 	if ((tp->mac_version == RTL_GIGA_MAC_VER_01) ||
 	    (tp->mac_version == RTL_GIGA_MAC_VER_02) ||
@@ -2656,7 +2655,7 @@ static void rtl_hw_start_8168(struct net_device *dev)
 
 	RTL_W8(EarlyTxThres, EarlyTxThld);
 
-	rtl_set_rx_max_size(ioaddr);
+	rtl_set_rx_max_size(ioaddr, tp->rx_buf_sz);
 
 	tp->cp_cmd |= RTL_R16(CPlusCmd) | PktCntrDisable | INTT_1;
 
@@ -2834,7 +2833,7 @@ static void rtl_hw_start_8101(struct net_device *dev)
 
 	RTL_W8(EarlyTxThres, EarlyTxThld);
 
-	rtl_set_rx_max_size(ioaddr);
+	rtl_set_rx_max_size(ioaddr, tp->rx_buf_sz);
 
 	tp->cp_cmd |= rtl_rw_cpluscmd(ioaddr) | PCIMulRW;