Source-Changes-HG archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
[src/trunk]: src/sys/dev/usb Stricter bounds check for some packet length we ...
details: https://anonhg.NetBSD.org/src/rev/d52c6b5a5349
branches: trunk
changeset: 972846:d52c6b5a5349
user: martin <martin%NetBSD.org@localhost>
date: Thu Jun 11 09:51:37 2020 +0000
description:
Stricter bounds check for some packet length we get from the usb chip,
to make sure we do not corrupt kernel memory.
Pointed out by Ilja Van Sprundel.
diffstat:
sys/dev/usb/if_otus.c | 11 ++++++++---
1 files changed, 8 insertions(+), 3 deletions(-)
diffs (39 lines):
diff -r 939bd491f642 -r d52c6b5a5349 sys/dev/usb/if_otus.c
--- a/sys/dev/usb/if_otus.c Thu Jun 11 09:23:13 2020 +0000
+++ b/sys/dev/usb/if_otus.c Thu Jun 11 09:51:37 2020 +0000
@@ -1,4 +1,4 @@
-/* $NetBSD: if_otus.c,v 1.44 2020/03/15 23:04:50 thorpej Exp $ */
+/* $NetBSD: if_otus.c,v 1.45 2020/06/11 09:51:37 martin Exp $ */
/* $OpenBSD: if_otus.c,v 1.18 2010/08/27 17:08:00 jsg Exp $ */
/*-
@@ -23,7 +23,7 @@
*/
#include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: if_otus.c,v 1.44 2020/03/15 23:04:50 thorpej Exp $");
+__KERNEL_RCSID(0, "$NetBSD: if_otus.c,v 1.45 2020/06/11 09:51:37 martin Exp $");
#ifdef _KERNEL_OPT
#include "opt_usb.h"
@@ -1758,6 +1758,10 @@
}
/* Compute MPDU's length. */
mlen = len - AR_PLCP_HDR_LEN - sizeof(*tail);
+ if (__predict_false(mlen < IEEE80211_CRC_LEN)) {
+ if_statinc(ifp, if_ierrors);
+ return;
+ }
mlen -= IEEE80211_CRC_LEN; /* strip 802.11 FCS */
/* Make sure there's room for an 802.11 header. */
/*
@@ -1778,7 +1782,8 @@
return;
}
if (align + mlen > MHLEN) {
- MCLGET(m, M_DONTWAIT);
+ if (__predict_true(align + mlen <= MCLBYTES))
+ MCLGET(m, M_DONTWAIT);
if (__predict_false(!(m->m_flags & M_EXT))) {
if_statinc(ifp, if_ierrors);
m_freem(m);
Home |
Main Index |
Thread Index |
Old Index