Source-Changes-HG archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

[src/trunk]: src/sys/dev/usb Align buffer pointer to longwords. Otherwise arb...



details:   https://anonhg.NetBSD.org/src/rev/f542c1e3c18d
branches:  trunk
changeset: 329911:f542c1e3c18d
user:      mlelstv <mlelstv%NetBSD.org@localhost>
date:      Fri Jun 13 18:49:41 2014 +0000

description:
Align buffer pointer to longwords. Otherwise arbitrary data will be
interpreted as length field of the receive header which can
cause mbuf overruns and memory corruption. Also add sanity checks.

diffstat:

 sys/dev/usb/if_smsc.c |  18 +++++++++++++++++-
 1 files changed, 17 insertions(+), 1 deletions(-)

diffs (46 lines):

diff -r cbe6ad73cbe6 -r f542c1e3c18d sys/dev/usb/if_smsc.c
--- a/sys/dev/usb/if_smsc.c     Fri Jun 13 16:00:55 2014 +0000
+++ b/sys/dev/usb/if_smsc.c     Fri Jun 13 18:49:41 2014 +0000
@@ -1,4 +1,4 @@
-/*     $NetBSD: if_smsc.c,v 1.16 2014/06/09 15:50:55 skrll Exp $       */
+/*     $NetBSD: if_smsc.c,v 1.17 2014/06/13 18:49:41 mlelstv Exp $     */
 
 /*     $OpenBSD: if_smsc.c,v 1.4 2012/09/27 12:38:11 jsg Exp $ */
 /* $FreeBSD: src/sys/dev/usb/net/if_smsc.c,v 1.1 2012/08/15 04:03:55 gonzo Exp $ */
@@ -1305,6 +1305,13 @@
 
                pktlen += ETHER_ALIGN;
 
+               if (pktlen > MCLBYTES) {
+                       smsc_dbg_printf(sc, "pktlen %d > MCLBYTES %d\n",
+                           pktlen, MCLBYTES);
+                       ifp->if_ierrors++;
+                       goto done;
+               }
+
                if (pktlen > total_len) {
                        smsc_dbg_printf(sc, "pktlen %d > total_len %d\n",
                            pktlen, total_len);
@@ -1324,6 +1331,8 @@
                m->m_pkthdr.len = m->m_len = pktlen;
                m->m_flags |= M_HASFCS;
                m_adj(m, ETHER_ALIGN);
+
+               KASSERT(m->m_len < MCLBYTES);
                memcpy(mtod(m, char *), buf + ETHER_ALIGN, m->m_len);
 
                /* Check if RX TCP/UDP checksumming is being offloaded */
@@ -1375,6 +1384,13 @@
                        }
                }
 
+               /* round up to next longword */
+               pktlen = (pktlen + 3) & ~0x3;
+
+               /* total_len does not include the padding */
+               if (pktlen > total_len)
+                       pktlen = total_len;
+
                buf += pktlen;
                total_len -= pktlen;
 



Home | Main Index | Thread Index | Old Index