Module Name: src
Committed By: bouyer
Date: Tue Jun 16 10:33:38 UTC 2020
Modified Files:
src/sys/dev/usb [netbsd-7]: if_otus.c
Log Message:
Pull up following revision(s) (requested by martin in ticket #1734):
sys/dev/usb/if_otus.c: revision 1.45 via patch
Stricter bounds check for some packet length we get from the usb chip,
to make sure we do not corrupt kernel memory.
Pointed out by Ilja Van Sprundel.
To generate a diff of this commit:
cvs rdiff -u -r1.25.4.3 -r1.25.4.4 src/sys/dev/usb/if_otus.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
Modified files:
Index: src/sys/dev/usb/if_otus.c
diff -u src/sys/dev/usb/if_otus.c:1.25.4.3 src/sys/dev/usb/if_otus.c:1.25.4.4
--- src/sys/dev/usb/if_otus.c:1.25.4.3 Wed Aug 8 10:17:11 2018
+++ src/sys/dev/usb/if_otus.c Tue Jun 16 10:33:38 2020
@@ -1,4 +1,4 @@
-/* $NetBSD: if_otus.c,v 1.25.4.3 2018/08/08 10:17:11 martin Exp $ */
+/* $NetBSD: if_otus.c,v 1.25.4.4 2020/06/16 10:33:38 bouyer Exp $ */
/* $OpenBSD: if_otus.c,v 1.18 2010/08/27 17:08:00 jsg Exp $ */
/*-
@@ -23,7 +23,7 @@
*/
#include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: if_otus.c,v 1.25.4.3 2018/08/08 10:17:11 martin Exp $");
+__KERNEL_RCSID(0, "$NetBSD: if_otus.c,v 1.25.4.4 2020/06/16 10:33:38 bouyer Exp $");
#ifdef _KERNEL_OPT
#include "opt_usb.h"
@@ -1750,6 +1750,10 @@ otus_sub_rxeof(struct otus_softc *sc, ui
}
/* Compute MPDU's length. */
mlen = len - AR_PLCP_HDR_LEN - sizeof(*tail);
+ if (__predict_false(mlen < IEEE80211_CRC_LEN)) {
+ ifp->if_ierrors++;
+ return;
+ }
mlen -= IEEE80211_CRC_LEN; /* strip 802.11 FCS */
/* Make sure there's room for an 802.11 header. */
/*
@@ -1770,7 +1774,8 @@ otus_sub_rxeof(struct otus_softc *sc, ui
return;
}
if (align + mlen > MHLEN) {
- MCLGET(m, M_DONTWAIT);
+ if (__predict_true(align + mlen <= MCLBYTES))
+ MCLGET(m, M_DONTWAIT);
if (__predict_false(!(m->m_flags & M_EXT))) {
ifp->if_ierrors++;
m_freem(m);
