Source-Changes-HG archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

[src/trunk]: src/sys/dev/usb usbnet(9): Fix mbuf alignment and narrow bounds ...

details:   https://anonhg.NetBSD.org/src/rev/9c175752900c
branches:  trunk
changeset: 368903:9c175752900c
user:      riastradh <riastradh%NetBSD.org@localhost>
date:      Fri Aug 12 11:25:45 2022 +0000

description:
usbnet(9): Fix mbuf alignment and narrow bounds check.

In usbnet.c rev. 1.16, usbnet_newbuf was first passed a buffer length
to verify it fits within MCLBYTES.  It also changed m_adj to go
before, not after, setting m_len and m_pkthdr.len -- which had the
effect of making the m_adj a no-op, because after MGETHDR the mbuf
has zero length and m_adj stops at the length of the mbuf, so nothing
was aligned as intended.

To make this aligned as intended, we require the buffer length to be
_below_ MCLBYTES, by ETHER_ALIGN, so there's room for the ethernet
header in a maximum-length payload.  Once we do that, it is safe to
initialize m_len = m_pkthdr.len = ETHER_ALIGN + buflen, which is
below the actual size of the mbuf (MHLEN or MCLBYTES, depending), and
_then_ do m_adj to align the pointer.

diffstat:

 sys/dev/usb/usbnet.c |  8 ++++----
 1 files changed, 4 insertions(+), 4 deletions(-)

diffs (37 lines):

diff -r 99e255b4673c -r 9c175752900c sys/dev/usb/usbnet.c
--- a/sys/dev/usb/usbnet.c      Fri Aug 12 11:21:44 2022 +0000
+++ b/sys/dev/usb/usbnet.c      Fri Aug 12 11:25:45 2022 +0000
@@ -1,4 +1,4 @@
-/*     $NetBSD: usbnet.c,v 1.95 2022/08/07 23:49:30 riastradh Exp $    */
+/*     $NetBSD: usbnet.c,v 1.96 2022/08/12 11:25:45 riastradh Exp $    */
 
 /*
  * Copyright (c) 2019 Matthew R. Green
@@ -31,7 +31,7 @@
  */
 
 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: usbnet.c,v 1.95 2022/08/07 23:49:30 riastradh Exp $");
+__KERNEL_RCSID(0, "$NetBSD: usbnet.c,v 1.96 2022/08/12 11:25:45 riastradh Exp $");
 
 #include <sys/param.h>
 #include <sys/kernel.h>
@@ -263,7 +263,7 @@
 {
        struct mbuf *m;
 
-       if (buflen > MCLBYTES)
+       if (buflen > MCLBYTES - ETHER_ALIGN)
                return NULL;
 
        MGETHDR(m, M_DONTWAIT, MT_DATA);
@@ -278,8 +278,8 @@
                }
        }
 
+       m->m_len = m->m_pkthdr.len = ETHER_ALIGN + buflen;
        m_adj(m, ETHER_ALIGN);
-       m->m_len = m->m_pkthdr.len = buflen;
 
        return m;
 }
Home | Main Index | Thread Index | Old Index