High severity7.5NVD Advisory· Published May 24, 2012· Updated Apr 29, 2026
CVE-2011-3359
CVE-2011-3359
Description
The dma_rx function in drivers/net/wireless/b43/dma.c in the Linux kernel before 2.6.39 does not properly allocate receive buffers, which allows remote attackers to cause a denial of service (system crash) via a crafted frame.
Affected products
1Patches
1c85ce65ecac0b43: allocate receive buffers big enough for max frame len + offset
2 files changed · +2 −2
drivers/net/wireless/b43/dma.c+1 −1 modified@@ -1536,7 +1536,7 @@ static void dma_rx(struct b43_dmaring *ring, int *slot) dmaaddr = meta->dmaaddr; goto drop_recycle_buffer; } - if (unlikely(len > ring->rx_buffersize)) { + if (unlikely(len + ring->frameoffset > ring->rx_buffersize)) { /* The data did not fit into one descriptor buffer * and is split over multiple buffers. * This should never happen, as we try to allocate buffers
drivers/net/wireless/b43/dma.h+1 −1 modified@@ -163,7 +163,7 @@ struct b43_dmadesc_generic { /* DMA engine tuning knobs */ #define B43_TXRING_SLOTS 256 #define B43_RXRING_SLOTS 64 -#define B43_DMA0_RX_BUFFERSIZE IEEE80211_MAX_FRAME_LEN +#define B43_DMA0_RX_BUFFERSIZE (B43_DMA0_RX_FRAMEOFFSET + IEEE80211_MAX_FRAME_LEN) /* Pointer poison */ #define B43_DMA_PTR_POISON ((void *)ERR_PTR(-ENOMEM))
Vulnerability mechanics
Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
4- www.openwall.com/lists/oss-security/2011/09/14/2nvdMailing ListPatchThird Party Advisory
- bugzilla.redhat.com/show_bug.cginvdIssue TrackingPatchThird Party Advisory
- github.com/torvalds/linux/commit/c85ce65ecac078ab1a1835c87c4a6319cf74660anvdExploitPatchThird Party Advisory
- ftp.osuosl.org/pub/linux/kernel/v2.6/ChangeLog-2.6.39nvdBroken Link
News mentions
0No linked articles in our index yet.