Module Name: src
Committed By: skrll
Date: Sun Aug 11 06:54:15 UTC 2019
Modified Files:
src/sys/dev/usb: if_smsc.c
Log Message:
Add a check in smsc_tx_prepare for the mbuf being too big. Discussed
with mrg@
To generate a diff of this commit:
cvs rdiff -u -r1.51 -r1.52 src/sys/dev/usb/if_smsc.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
Modified files:
Index: src/sys/dev/usb/if_smsc.c
diff -u src/sys/dev/usb/if_smsc.c:1.51 src/sys/dev/usb/if_smsc.c:1.52
--- src/sys/dev/usb/if_smsc.c:1.51 Sat Aug 10 02:17:36 2019
+++ src/sys/dev/usb/if_smsc.c Sun Aug 11 06:54:14 2019
@@ -1,4 +1,4 @@
-/* $NetBSD: if_smsc.c,v 1.51 2019/08/10 02:17:36 mrg Exp $ */
+/* $NetBSD: if_smsc.c,v 1.52 2019/08/11 06:54:14 skrll Exp $ */
/* $OpenBSD: if_smsc.c,v 1.4 2012/09/27 12:38:11 jsg Exp $ */
/* $FreeBSD: src/sys/dev/usb/net/if_smsc.c,v 1.1 2012/08/15 04:03:55 gonzo Exp $ */
@@ -61,7 +61,7 @@
*/
#include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: if_smsc.c,v 1.51 2019/08/10 02:17:36 mrg Exp $");
+__KERNEL_RCSID(0, "$NetBSD: if_smsc.c,v 1.52 2019/08/11 06:54:14 skrll Exp $");
#ifdef _KERNEL_OPT
#include "opt_usb.h"
@@ -1048,6 +1048,11 @@ smsc_tx_prepare(struct usbnet *un, struc
usbnet_isowned_tx(un);
+ const size_t hdrsz = sizeof(txhdr) * 2;
+
+ if ((unsigned)m->m_pkthdr.len > un->un_tx_bufsz - hdrsz)
+ return 0;
+
/*
* Each frame is prefixed with two 32-bit values describing the
* length of the packet and buffer.
@@ -1059,9 +1064,9 @@ smsc_tx_prepare(struct usbnet *un, struc
txhdr = SMSC_TX_CTRL_1_PKT_LENGTH(m->m_pkthdr.len);
txhdr = htole32(txhdr);
- memcpy(c->unc_buf + 4, &txhdr, sizeof(txhdr));
+ memcpy(c->unc_buf + sizeof(txhdr), &txhdr, sizeof(txhdr));
- frm_len += 8;
+ frm_len += hdrsz;
/* Next copy in the actual packet */
m_copydata(m, 0, m->m_pkthdr.len, c->unc_buf + frm_len);
