Source-Changes-HG archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
[src/netbsd-9]: src/sys/dev/usb Pull up following revision (requested by mart...
details: https://anonhg.NetBSD.org/src/rev/c5513bce2310
branches: netbsd-9
changeset: 1001808:c5513bce2310
user: jdc <jdc%NetBSD.org@localhost>
date: Thu Jun 11 11:01:20 2020 +0000
description:
Pull up following revision (requested by martin in ticket #957):
src/sys/dev/usb/if_otus.c: revision 1.45 (via patch)
Stricter bounds check for some packet length we get from the usb chip,
to make sure we do not corrupt kernel memory.
Pointed out by Ilja Van Sprundel.
diffstat:
sys/dev/usb/if_otus.c | 11 ++++++++---
1 files changed, 8 insertions(+), 3 deletions(-)
diffs (39 lines):
diff -r 263fc9cb07bb -r c5513bce2310 sys/dev/usb/if_otus.c
--- a/sys/dev/usb/if_otus.c Sun Jun 07 19:08:12 2020 +0000
+++ b/sys/dev/usb/if_otus.c Thu Jun 11 11:01:20 2020 +0000
@@ -1,4 +1,4 @@
-/* $NetBSD: if_otus.c,v 1.38 2019/05/28 07:41:50 msaitoh Exp $ */
+/* $NetBSD: if_otus.c,v 1.38.2.1 2020/06/11 11:01:20 jdc Exp $ */
/* $OpenBSD: if_otus.c,v 1.18 2010/08/27 17:08:00 jsg Exp $ */
/*-
@@ -23,7 +23,7 @@
*/
#include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: if_otus.c,v 1.38 2019/05/28 07:41:50 msaitoh Exp $");
+__KERNEL_RCSID(0, "$NetBSD: if_otus.c,v 1.38.2.1 2020/06/11 11:01:20 jdc Exp $");
#ifdef _KERNEL_OPT
#include "opt_usb.h"
@@ -1745,6 +1745,10 @@
}
/* Compute MPDU's length. */
mlen = len - AR_PLCP_HDR_LEN - sizeof(*tail);
+ if (__predict_false(mlen < IEEE80211_CRC_LEN)) {
+ ifp->if_ierrors++;
+ return;
+ }
mlen -= IEEE80211_CRC_LEN; /* strip 802.11 FCS */
/* Make sure there's room for an 802.11 header. */
/*
@@ -1765,7 +1769,8 @@
return;
}
if (align + mlen > MHLEN) {
- MCLGET(m, M_DONTWAIT);
+ if (__predict_true(align + mlen <= MCLBYTES))
+ MCLGET(m, M_DONTWAIT);
if (__predict_false(!(m->m_flags & M_EXT))) {
ifp->if_ierrors++;
m_freem(m);
Home |
Main Index |
Thread Index |
Old Index