Module Name: src
Committed By: mlelstv
Date: Fri Jun 13 18:49:41 UTC 2014
Modified Files:
src/sys/dev/usb: if_smsc.c
Log Message:
Align buffer pointer to longwords. Otherwise arbitrary data will be
interpreted as length field of the receive header which can
cause mbuf overruns and memory corruption. Also add sanity checks.
To generate a diff of this commit:
cvs rdiff -u -r1.16 -r1.17 src/sys/dev/usb/if_smsc.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
Modified files:
Index: src/sys/dev/usb/if_smsc.c
diff -u src/sys/dev/usb/if_smsc.c:1.16 src/sys/dev/usb/if_smsc.c:1.17
--- src/sys/dev/usb/if_smsc.c:1.16 Mon Jun 9 15:50:55 2014
+++ src/sys/dev/usb/if_smsc.c Fri Jun 13 18:49:41 2014
@@ -1,4 +1,4 @@
-/* $NetBSD: if_smsc.c,v 1.16 2014/06/09 15:50:55 skrll Exp $ */
+/* $NetBSD: if_smsc.c,v 1.17 2014/06/13 18:49:41 mlelstv Exp $ */
/* $OpenBSD: if_smsc.c,v 1.4 2012/09/27 12:38:11 jsg Exp $ */
/* $FreeBSD: src/sys/dev/usb/net/if_smsc.c,v 1.1 2012/08/15 04:03:55 gonzo Exp $ */
@@ -1305,6 +1305,13 @@ smsc_rxeof(usbd_xfer_handle xfer, usbd_p
pktlen += ETHER_ALIGN;
+ if (pktlen > MCLBYTES) {
+ smsc_dbg_printf(sc, "pktlen %d > MCLBYTES %d\n",
+ pktlen, MCLBYTES);
+ ifp->if_ierrors++;
+ goto done;
+ }
+
if (pktlen > total_len) {
smsc_dbg_printf(sc, "pktlen %d > total_len %d\n",
pktlen, total_len);
@@ -1324,6 +1331,8 @@ smsc_rxeof(usbd_xfer_handle xfer, usbd_p
m->m_pkthdr.len = m->m_len = pktlen;
m->m_flags |= M_HASFCS;
m_adj(m, ETHER_ALIGN);
+
+ KASSERT(m->m_len < MCLBYTES);
memcpy(mtod(m, char *), buf + ETHER_ALIGN, m->m_len);
/* Check if RX TCP/UDP checksumming is being offloaded */
@@ -1375,6 +1384,13 @@ smsc_rxeof(usbd_xfer_handle xfer, usbd_p
}
}
+ /* round up to next longword */
+ pktlen = (pktlen + 3) & ~0x3;
+
+ /* total_len does not include the padding */
+ if (pktlen > total_len)
+ pktlen = total_len;
+
buf += pktlen;
total_len -= pktlen;
