[PATCH] frame length validation for USB ethernet adapters

Wed, 16 Mar 2011 14:01:07 -0700 

After my experience with udav(4), I took a look at other USB  
adapters. The diff makes all of them more consistent by checking
the frame length returned and validating it. 

Since I don't own any of those adapters, I must rely on you people to 
test them. The diff is wrong unless successful reports are heard from users.

Of course, if the adapters are broken after applying the diff, I'll      
do my best to track down the problem.     

Yes, even 2-line diffs for each adapter needs to be checked, since device
drivers are a real minefield, so please test !


Index: if_axe.c
===================================================================
RCS file: /cvs/src/sys/dev/usb/if_axe.c,v
retrieving revision 1.105
diff -u -p -r1.105 if_axe.c
--- if_axe.c    25 Jan 2011 20:03:35 -0000      1.105
+++ if_axe.c    16 Mar 2011 20:34:42 -0000
@@ -1018,7 +1018,8 @@ axe_rxeof(usbd_xfer_handle xfer, usbd_pr
 
        do {
                if (sc->axe_flags & AX178 || sc->axe_flags & AX772) {
-                       if (total_len < sizeof(hdr)) {
+                       if (total_len < ETHERMIN ||
+                           total_len > ifp->if_hardmtu) {
                                ifp->if_ierrors++;
                                goto done;
                        }
Index: if_aue.c
===================================================================
RCS file: /cvs/src/sys/dev/usb/if_aue.c,v
retrieving revision 1.84
diff -u -p -r1.84 if_aue.c
--- if_aue.c    25 Jan 2011 20:03:35 -0000      1.84
+++ if_aue.c    16 Mar 2011 20:34:43 -0000
@@ -1078,12 +1078,12 @@ aue_rxeof(usbd_xfer_handle xfer, usbd_pr
 
        usbd_get_xfer_status(xfer, NULL, NULL, &total_len, NULL);
 
-       memcpy(mtod(c->aue_mbuf, char *), c->aue_buf, total_len);
-
-       if (total_len <= 4 + ETHER_CRC_LEN) {
+       if (total_len < ETHERMIN || total_len > ifp->if_hardmtu) {
                ifp->if_ierrors++;
                goto done;
        }
+
+       memcpy(mtod(c->aue_mbuf, char *), c->aue_buf, total_len);
 
        memcpy(&r, c->aue_buf + total_len - 4, sizeof(r));
 
Index: if_cdce.c
===================================================================
RCS file: /cvs/src/sys/dev/usb/if_cdce.c,v
retrieving revision 1.49
diff -u -p -r1.49 if_cdce.c
--- if_cdce.c   25 Jan 2011 20:03:35 -0000      1.49
+++ if_cdce.c   16 Mar 2011 20:34:45 -0000
@@ -776,16 +776,13 @@ cdce_rxeof(usbd_xfer_handle xfer, usbd_p
        usbd_get_xfer_status(xfer, NULL, NULL, &total_len, NULL);
        if (sc->cdce_flags & CDCE_ZAURUS)
                total_len -= 4; /* Strip off CRC added by Zaurus */
-       if (total_len <= 1)
+       if (total_len < ETHERMIN || total_len > ifp->if_hardmtu) {
+               ifp->if_ierrors++;
                goto done;
+       }
 
        m = c->cdce_mbuf;
        memcpy(mtod(m, char *), c->cdce_buf, total_len);
-
-       if (total_len < sizeof(struct ether_header)) {
-               ifp->if_ierrors++;
-               goto done;
-       }
 
        ifp->if_ipackets++;
 
Index: if_cue.c
===================================================================
RCS file: /cvs/src/sys/dev/usb/if_cue.c,v
retrieving revision 1.59
diff -u -p -r1.59 if_cue.c
--- if_cue.c    25 Jan 2011 20:03:35 -0000      1.59
+++ if_cue.c    16 Mar 2011 20:34:46 -0000
@@ -738,6 +738,11 @@ cue_rxeof(usbd_xfer_handle xfer, usbd_pr
 
        usbd_get_xfer_status(xfer, NULL, NULL, &total_len, NULL);
 
+       if (total_len < ETHERMIN || total_len > ifp->if_hardmtu) {
+               ifp->if_ierrors++;
+               goto done;
+       }
+
        memcpy(mtod(c->cue_mbuf, char *), c->cue_buf, total_len);
 
        m = c->cue_mbuf;
Index: if_kue.c
===================================================================
RCS file: /cvs/src/sys/dev/usb/if_kue.c,v
retrieving revision 1.63
diff -u -p -r1.63 if_kue.c
--- if_kue.c    25 Jan 2011 20:03:35 -0000      1.63
+++ if_kue.c    16 Mar 2011 20:34:47 -0000
@@ -741,8 +741,10 @@ kue_rxeof(usbd_xfer_handle xfer, usbd_pr
                     __func__, total_len,
                     UGETW(mtod(c->kue_mbuf, u_int8_t *))));
 
-       if (total_len <= 1)
+       if (total_len < ETHERMIN || total_len > ifp->if_hardmtu) {
+               ifp->if_ierrors++;
                goto done;
+       }
 
        m = c->kue_mbuf;
        /* copy data to mbuf */
Index: if_mos.c
===================================================================
RCS file: /cvs/src/sys/dev/usb/if_mos.c,v
retrieving revision 1.13
diff -u -p -r1.13 if_mos.c
--- if_mos.c    25 Jan 2011 20:03:35 -0000      1.13
+++ if_mos.c    16 Mar 2011 20:34:48 -0000
@@ -955,8 +955,10 @@ mos_rxeof(usbd_xfer_handle xfer, usbd_pr
 
        usbd_get_xfer_status(xfer, NULL, NULL, &total_len, NULL);
 
-       if (total_len <= 1)
+       if (total_len < ETHERMIN || total_len > ifp->if_hardmtu) {
+               ifp->if_ierrors++;
                goto done;
+       }
 
        /* evaluate status byte at the end */
        pktlen = total_len - 1;
Index: if_url.c
===================================================================
RCS file: /cvs/src/sys/dev/usb/if_url.c,v
retrieving revision 1.61
diff -u -p -r1.61 if_url.c
--- if_url.c    25 Jan 2011 20:03:35 -0000      1.61
+++ if_url.c    16 Mar 2011 20:34:49 -0000
@@ -995,12 +995,12 @@ url_rxeof(usbd_xfer_handle xfer, usbd_pr
 
        usbd_get_xfer_status(xfer, NULL, NULL, &total_len, NULL);
 
-       memcpy(mtod(c->url_mbuf, char *), c->url_buf, total_len);
-
-       if (total_len <= ETHER_CRC_LEN) {
+       if (total_len < ETHERMIN || total_len > ifp->if_hardmtu) {
                ifp->if_ierrors++;
                goto done;
        }
+
+       memcpy(mtod(c->url_mbuf, char *), c->url_buf, total_len);
 
        memcpy(&rxhdr, c->url_buf + total_len - ETHER_CRC_LEN, sizeof(rxhdr));

Reply via email to