Re: upl(4) buffer length validation
Hi,
Jasper pointed out that the minimum length should be 1.
Plese test !
Index: src/sys/dev/usb/if_upl.c
===
RCS file: /cvs/src/sys/dev/usb/if_upl.c,v
retrieving revision 1.47
diff -u -p -r1.47 if_upl.c
--- src/sys/dev/usb/if_upl.c25 Jan 2011 20:03:35 - 1.47
+++ src/sys/dev/usb/if_upl.c21 Mar 2011 18:51:02 -
@@ -494,6 +494,11 @@ upl_rxeof(usbd_xfer_handle xfer, usbd_pr
DPRINTFN(9,("%s: %s: enter status=%d length=%d\n",
sc->sc_dev.dv_xname, __func__, status, total_len));
+ if (total_len <= 1 || total_len > UPL_BUFSZ) {
+ ifp->if_ierrors++;
+ goto done;
+ }
+
m = c->upl_mbuf;
memcpy(mtod(c->upl_mbuf, char *), c->upl_buf, total_len);
upl(4) buffer length validation
Hi,
This discards frames that are less than 0, and those
that are more than the maximum possible buffer size.
Please test.
As usual, any feedback welcomed.
Index: src/sys/dev/usb/if_upl.c
===
RCS file: /cvs/src/sys/dev/usb/if_upl.c,v
retrieving revision 1.47
diff -u -p -r1.47 if_upl.c
--- src/sys/dev/usb/if_upl.c25 Jan 2011 20:03:35 - 1.47
+++ src/sys/dev/usb/if_upl.c20 Mar 2011 05:42:16 -
@@ -494,6 +494,11 @@ upl_rxeof(usbd_xfer_handle xfer, usbd_pr
DPRINTFN(9,("%s: %s: enter status=%d length=%d\n",
sc->sc_dev.dv_xname, __func__, status, total_len));
+ if (total_len < 0 || total_len > UPL_BUFSZ) {
+ ifp->if_ierrors++;
+ goto done;
+ }
+
m = c->upl_mbuf;
memcpy(mtod(c->upl_mbuf, char *), c->upl_buf, total_len);
