Hi, I'm uploading the new diffs for this. It concerns
axe(4), aue(4), cdce(4), cue(4), kue(4), mos(4) and url(4).
Of these, axe(4) is the most tricky, and I'd appreciate testing
on all vaariants of axe(4).
Please test both small and large packets (NFS and SCP).
As usual,
feedback is most welcomed.
Index: src/sys/dev/usb/if_axe.c
===================================================================
RCS file: /cvs/src/sys/dev/usb/if_axe.c,v
retrieving revision 1.105
diff -u -p -r1.105 if_axe.c
--- src/sys/dev/usb/if_axe.c 25 Jan 2011 20:03:35 -0000 1.105
+++ src/sys/dev/usb/if_axe.c 19 Mar 2011 17:45:08 -0000
@@ -1018,7 +1018,9 @@ axe_rxeof(usbd_xfer_handle xfer, usbd_pr
do {
if (sc->axe_flags & AX178 || sc->axe_flags & AX772) {
- if (total_len < sizeof(hdr)) {
+ if (total_len < sizeof(hdr) ||
+ total_len > (sc->axe_flags == AXE_178_MAX_BUFSZ ?
+ AXE_178_MAX_BUFSZ : AXE_178_MIN_BUFSZ)) {
ifp->if_ierrors++;
goto done;
}
@@ -1048,8 +1050,15 @@ axe_rxeof(usbd_xfer_handle xfer, usbd_pr
else
total_len -= pktlen;
} else {
+ if (total_len < sizeof(hdr) ||
+ total_len > AXE_172_BUFSZ) {
+ ifp->if_ierrors++;
+ goto done;
+ }
+ else {
pktlen = total_len; /* crc on the end? */
total_len = 0;
+ }
}
m = axe_newbuf();
Index: src/sys/dev/usb/if_aue.c
===================================================================
RCS file: /cvs/src/sys/dev/usb/if_aue.c,v
retrieving revision 1.84
diff -u -p -r1.84 if_aue.c
--- src/sys/dev/usb/if_aue.c 25 Jan 2011 20:03:35 -0000 1.84
+++ src/sys/dev/usb/if_aue.c 19 Mar 2011 17:45:09 -0000
@@ -1078,12 +1078,12 @@ aue_rxeof(usbd_xfer_handle xfer, usbd_pr
usbd_get_xfer_status(xfer, NULL, NULL, &total_len, NULL);
- memcpy(mtod(c->aue_mbuf, char *), c->aue_buf, total_len);
-
- if (total_len <= 4 + ETHER_CRC_LEN) {
+ if (total_len <= 4 + ETHER_CRC_LEN || total_len > AUE_BUFSZ) {
ifp->if_ierrors++;
goto done;
}
+
+ memcpy(mtod(c->aue_mbuf, char *), c->aue_buf, total_len);
memcpy(&r, c->aue_buf + total_len - 4, sizeof(r));
Index: src/sys/dev/usb/if_cdce.c
===================================================================
RCS file: /cvs/src/sys/dev/usb/if_cdce.c,v
retrieving revision 1.49
diff -u -p -r1.49 if_cdce.c
--- src/sys/dev/usb/if_cdce.c 25 Jan 2011 20:03:35 -0000 1.49
+++ src/sys/dev/usb/if_cdce.c 19 Mar 2011 17:45:10 -0000
@@ -776,8 +776,11 @@ cdce_rxeof(usbd_xfer_handle xfer, usbd_p
usbd_get_xfer_status(xfer, NULL, NULL, &total_len, NULL);
if (sc->cdce_flags & CDCE_ZAURUS)
total_len -= 4; /* Strip off CRC added by Zaurus */
- if (total_len <= 1)
+
+ if (total_len <= 1 || total_len > CDCE_BUFSZ) {
+ ifp->if_ierrors++;
goto done;
+ }
m = c->cdce_mbuf;
memcpy(mtod(m, char *), c->cdce_buf, total_len);
Index: src/sys/dev/usb/if_cue.c
===================================================================
RCS file: /cvs/src/sys/dev/usb/if_cue.c,v
retrieving revision 1.59
diff -u -p -r1.59 if_cue.c
--- src/sys/dev/usb/if_cue.c 25 Jan 2011 20:03:35 -0000 1.59
+++ src/sys/dev/usb/if_cue.c 19 Mar 2011 17:45:11 -0000
@@ -738,6 +738,11 @@ cue_rxeof(usbd_xfer_handle xfer, usbd_pr
usbd_get_xfer_status(xfer, NULL, NULL, &total_len, NULL);
+ if (total_len < sizeof(struct ether_header) ||total_len > CUE_BUFSZ) {
+ ifp->if_ierrors++;
+ goto done;
+ }
+
memcpy(mtod(c->cue_mbuf, char *), c->cue_buf, total_len);
m = c->cue_mbuf;
Index: src/sys/dev/usb/if_kue.c
===================================================================
RCS file: /cvs/src/sys/dev/usb/if_kue.c,v
retrieving revision 1.63
diff -u -p -r1.63 if_kue.c
--- src/sys/dev/usb/if_kue.c 25 Jan 2011 20:03:35 -0000 1.63
+++ src/sys/dev/usb/if_kue.c 19 Mar 2011 17:45:11 -0000
@@ -741,8 +741,10 @@ kue_rxeof(usbd_xfer_handle xfer, usbd_pr
__func__, total_len,
UGETW(mtod(c->kue_mbuf, u_int8_t *))));
- if (total_len <= 1)
+ if (total_len <= 1 || total_len > KUE_BUFSZ) {
+ ifp->if_ierrors++;
goto done;
+ }
m = c->kue_mbuf;
/* copy data to mbuf */
Index: src/sys/dev/usb/if_mos.c
===================================================================
RCS file: /cvs/src/sys/dev/usb/if_mos.c,v
retrieving revision 1.14
diff -u -p -r1.14 if_mos.c
--- src/sys/dev/usb/if_mos.c 21 Feb 2011 19:48:41 -0000 1.14
+++ src/sys/dev/usb/if_mos.c 19 Mar 2011 17:45:13 -0000
@@ -955,8 +955,10 @@ mos_rxeof(usbd_xfer_handle xfer, usbd_pr
usbd_get_xfer_status(xfer, NULL, NULL, &total_len, NULL);
- if (total_len <= 1)
+ if (total_len <= 1 || total_len > MOS_BUFSZ) {
+ ifp->if_ierrors++;
goto done;
+ }
/* evaluate status byte at the end */
pktlen = total_len - 1;
Index: src/sys/dev/usb/if_url.c
===================================================================
RCS file: /cvs/src/sys/dev/usb/if_url.c,v
retrieving revision 1.61
diff -u -p -r1.61 if_url.c
--- src/sys/dev/usb/if_url.c 25 Jan 2011 20:03:35 -0000 1.61
+++ src/sys/dev/usb/if_url.c 19 Mar 2011 17:45:13 -0000
@@ -995,12 +995,12 @@ url_rxeof(usbd_xfer_handle xfer, usbd_pr
usbd_get_xfer_status(xfer, NULL, NULL, &total_len, NULL);
- memcpy(mtod(c->url_mbuf, char *), c->url_buf, total_len);
-
- if (total_len <= ETHER_CRC_LEN) {
+ if (total_len <= ETHER_CRC_LEN || total_len > URL_BUFSZ) {
ifp->if_ierrors++;
goto done;
}
+
+ memcpy(mtod(c->url_mbuf, char *), c->url_buf, total_len);
memcpy(&rxhdr, c->url_buf + total_len - ETHER_CRC_LEN, sizeof(rxhdr));