Source-Changes-HG archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

[src/trunk]: src/sys/dev/usb Stricter bounds check for some packet length we ...



details:   https://anonhg.NetBSD.org/src/rev/b425ea590270
branches:  trunk
changeset: 1010881:b425ea590270
user:      martin <martin%NetBSD.org@localhost>
date:      Thu Jun 11 09:51:37 2020 +0000

description:
Stricter bounds check for some packet length we get from the usb chip,
to make sure we do not corrupt kernel memory.
Pointed out by Ilja Van Sprundel.

diffstat:

 sys/dev/usb/if_otus.c |  11 ++++++++---
 1 files changed, 8 insertions(+), 3 deletions(-)

diffs (39 lines):

diff -r 597b98c3615b -r b425ea590270 sys/dev/usb/if_otus.c
--- a/sys/dev/usb/if_otus.c     Thu Jun 11 09:23:13 2020 +0000
+++ b/sys/dev/usb/if_otus.c     Thu Jun 11 09:51:37 2020 +0000
@@ -1,4 +1,4 @@
-/*     $NetBSD: if_otus.c,v 1.44 2020/03/15 23:04:50 thorpej Exp $     */
+/*     $NetBSD: if_otus.c,v 1.45 2020/06/11 09:51:37 martin Exp $      */
 /*     $OpenBSD: if_otus.c,v 1.18 2010/08/27 17:08:00 jsg Exp $        */
 
 /*-
@@ -23,7 +23,7 @@
  */
 
 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: if_otus.c,v 1.44 2020/03/15 23:04:50 thorpej Exp $");
+__KERNEL_RCSID(0, "$NetBSD: if_otus.c,v 1.45 2020/06/11 09:51:37 martin Exp $");
 
 #ifdef _KERNEL_OPT
 #include "opt_usb.h"
@@ -1758,6 +1758,10 @@
        }
        /* Compute MPDU's length. */
        mlen = len - AR_PLCP_HDR_LEN - sizeof(*tail);
+       if (__predict_false(mlen < IEEE80211_CRC_LEN)) {
+               if_statinc(ifp, if_ierrors);
+               return;
+       }
        mlen -= IEEE80211_CRC_LEN;      /* strip 802.11 FCS */
        /* Make sure there's room for an 802.11 header. */
        /*
@@ -1778,7 +1782,8 @@
                return;
        }
        if (align + mlen > MHLEN) {
-               MCLGET(m, M_DONTWAIT);
+               if (__predict_true(align + mlen <= MCLBYTES))
+                       MCLGET(m, M_DONTWAIT);
                if (__predict_false(!(m->m_flags & M_EXT))) {
                        if_statinc(ifp, if_ierrors);
                        m_freem(m);



Home | Main Index | Thread Index | Old Index