Module Name: src Committed By: skrll Date: Sun Aug 11 06:54:15 UTC 2019
Modified Files: src/sys/dev/usb: if_smsc.c Log Message: Add a check in smsc_tx_prepare for the mbuf being too big. Discussed with mrg@ To generate a diff of this commit: cvs rdiff -u -r1.51 -r1.52 src/sys/dev/usb/if_smsc.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
Modified files: Index: src/sys/dev/usb/if_smsc.c diff -u src/sys/dev/usb/if_smsc.c:1.51 src/sys/dev/usb/if_smsc.c:1.52 --- src/sys/dev/usb/if_smsc.c:1.51 Sat Aug 10 02:17:36 2019 +++ src/sys/dev/usb/if_smsc.c Sun Aug 11 06:54:14 2019 @@ -1,4 +1,4 @@ -/* $NetBSD: if_smsc.c,v 1.51 2019/08/10 02:17:36 mrg Exp $ */ +/* $NetBSD: if_smsc.c,v 1.52 2019/08/11 06:54:14 skrll Exp $ */ /* $OpenBSD: if_smsc.c,v 1.4 2012/09/27 12:38:11 jsg Exp $ */ /* $FreeBSD: src/sys/dev/usb/net/if_smsc.c,v 1.1 2012/08/15 04:03:55 gonzo Exp $ */ @@ -61,7 +61,7 @@ */ #include <sys/cdefs.h> -__KERNEL_RCSID(0, "$NetBSD: if_smsc.c,v 1.51 2019/08/10 02:17:36 mrg Exp $"); +__KERNEL_RCSID(0, "$NetBSD: if_smsc.c,v 1.52 2019/08/11 06:54:14 skrll Exp $"); #ifdef _KERNEL_OPT #include "opt_usb.h" @@ -1048,6 +1048,11 @@ smsc_tx_prepare(struct usbnet *un, struc usbnet_isowned_tx(un); + const size_t hdrsz = sizeof(txhdr) * 2; + + if ((unsigned)m->m_pkthdr.len > un->un_tx_bufsz - hdrsz) + return 0; + /* * Each frame is prefixed with two 32-bit values describing the * length of the packet and buffer. @@ -1059,9 +1064,9 @@ smsc_tx_prepare(struct usbnet *un, struc txhdr = SMSC_TX_CTRL_1_PKT_LENGTH(m->m_pkthdr.len); txhdr = htole32(txhdr); - memcpy(c->unc_buf + 4, &txhdr, sizeof(txhdr)); + memcpy(c->unc_buf + sizeof(txhdr), &txhdr, sizeof(txhdr)); - frm_len += 8; + frm_len += hdrsz; /* Next copy in the actual packet */ m_copydata(m, 0, m->m_pkthdr.len, c->unc_buf + frm_len);