Re: [PATCH] frame length validation for USB ethernet adapters

Loganaden Velvindron Sat, 19 Mar 2011 21:37:55 -0700
Miod pointed out a wrong variable used for axe(4) diff. Thanks.

Index: if_axe.c
===================================================================
RCS file: /cvs/src/sys/dev/usb/if_axe.c,v
retrieving revision 1.105
diff -u -p -r1.105 if_axe.c
--- if_axe.c    25 Jan 2011 20:03:35 -0000      1.105
+++ if_axe.c    20 Mar 2011 04:31:45 -0000
@@ -1018,7 +1018,9 @@ axe_rxeof(usbd_xfer_handle xfer, usbd_pr
 
        do {
                if (sc->axe_flags & AX178 || sc->axe_flags & AX772) {
-                       if (total_len < sizeof(hdr)) {
+                       if (total_len < sizeof(hdr) ||
+                           total_len > (sc->axe_bufsz == AXE_178_MAX_BUFSZ) ?
+                           AXE_178_MAX_BUFSZ : AXE_178_MIN_BUFSZ) {
                                ifp->if_ierrors++;
                                goto done;
                        }
@@ -1048,8 +1050,15 @@ axe_rxeof(usbd_xfer_handle xfer, usbd_pr
                        else
                                total_len -= pktlen;
                } else {
+                       if (total_len < sizeof(hdr) ||
+                           total_len > AXE_172_BUFSZ) {
+                           ifp->if_ierrors++;
+                           goto done;
+                       }
+                       else {
                        pktlen = total_len; /* crc on the end? */
                        total_len = 0;
+                       }
                }
 
                m = axe_newbuf();
Index: if_aue.c
===================================================================
RCS file: /cvs/src/sys/dev/usb/if_aue.c,v
retrieving revision 1.84
diff -u -p -r1.84 if_aue.c
--- if_aue.c    25 Jan 2011 20:03:35 -0000      1.84
+++ if_aue.c    20 Mar 2011 04:31:46 -0000
@@ -1078,12 +1078,12 @@ aue_rxeof(usbd_xfer_handle xfer, usbd_pr
 
        usbd_get_xfer_status(xfer, NULL, NULL, &total_len, NULL);
 
-       memcpy(mtod(c->aue_mbuf, char *), c->aue_buf, total_len);
-
-       if (total_len <= 4 + ETHER_CRC_LEN) {
+       if (total_len <= 4 + ETHER_CRC_LEN || total_len > AUE_BUFSZ) {
                ifp->if_ierrors++;
                goto done;
        }
+
+       memcpy(mtod(c->aue_mbuf, char *), c->aue_buf, total_len);
 
        memcpy(&r, c->aue_buf + total_len - 4, sizeof(r));
 
Index: if_cdce.c
===================================================================
RCS file: /cvs/src/sys/dev/usb/if_cdce.c,v
retrieving revision 1.49
diff -u -p -r1.49 if_cdce.c
--- if_cdce.c   25 Jan 2011 20:03:35 -0000      1.49
+++ if_cdce.c   20 Mar 2011 04:31:46 -0000
@@ -776,8 +776,11 @@ cdce_rxeof(usbd_xfer_handle xfer, usbd_p
        usbd_get_xfer_status(xfer, NULL, NULL, &total_len, NULL);
        if (sc->cdce_flags & CDCE_ZAURUS)
                total_len -= 4; /* Strip off CRC added by Zaurus */
-       if (total_len <= 1)
+
+       if (total_len <= 1 || total_len > CDCE_BUFSZ) {
+               ifp->if_ierrors++;
                goto done;
+       }
 
        m = c->cdce_mbuf;
        memcpy(mtod(m, char *), c->cdce_buf, total_len);
Index: if_cue.c
===================================================================
RCS file: /cvs/src/sys/dev/usb/if_cue.c,v
retrieving revision 1.59
diff -u -p -r1.59 if_cue.c
--- if_cue.c    25 Jan 2011 20:03:35 -0000      1.59
+++ if_cue.c    20 Mar 2011 04:31:49 -0000
@@ -738,6 +738,11 @@ cue_rxeof(usbd_xfer_handle xfer, usbd_pr
 
        usbd_get_xfer_status(xfer, NULL, NULL, &total_len, NULL);
 
+       if (total_len < sizeof(struct ether_header) ||total_len > CUE_BUFSZ) {
+               ifp->if_ierrors++;
+               goto done;
+       }
+
        memcpy(mtod(c->cue_mbuf, char *), c->cue_buf, total_len);
 
        m = c->cue_mbuf;
Index: if_kue.c
===================================================================
RCS file: /cvs/src/sys/dev/usb/if_kue.c,v
retrieving revision 1.63
diff -u -p -r1.63 if_kue.c
--- if_kue.c    25 Jan 2011 20:03:35 -0000      1.63
+++ if_kue.c    20 Mar 2011 04:31:50 -0000
@@ -741,8 +741,10 @@ kue_rxeof(usbd_xfer_handle xfer, usbd_pr
                     __func__, total_len,
                     UGETW(mtod(c->kue_mbuf, u_int8_t *))));
 
-       if (total_len <= 1)
+       if (total_len <= 1 || total_len > KUE_BUFSZ) {
+               ifp->if_ierrors++;
                goto done;
+       }
 
        m = c->kue_mbuf;
        /* copy data to mbuf */
Index: if_mos.c
===================================================================
RCS file: /cvs/src/sys/dev/usb/if_mos.c,v
retrieving revision 1.14
diff -u -p -r1.14 if_mos.c
--- if_mos.c    21 Feb 2011 19:48:41 -0000      1.14
+++ if_mos.c    20 Mar 2011 04:31:52 -0000
@@ -955,8 +955,10 @@ mos_rxeof(usbd_xfer_handle xfer, usbd_pr
 
        usbd_get_xfer_status(xfer, NULL, NULL, &total_len, NULL);
 
-       if (total_len <= 1)
+       if (total_len <= 1 || total_len > MOS_BUFSZ) {
+               ifp->if_ierrors++;
                goto done;
+       }
 
        /* evaluate status byte at the end */
        pktlen = total_len - 1;
Index: if_url.c
===================================================================
RCS file: /cvs/src/sys/dev/usb/if_url.c,v
retrieving revision 1.61
diff -u -p -r1.61 if_url.c
--- if_url.c    25 Jan 2011 20:03:35 -0000      1.61
+++ if_url.c    20 Mar 2011 04:31:52 -0000
@@ -995,12 +995,12 @@ url_rxeof(usbd_xfer_handle xfer, usbd_pr
 
        usbd_get_xfer_status(xfer, NULL, NULL, &total_len, NULL);
 
-       memcpy(mtod(c->url_mbuf, char *), c->url_buf, total_len);
-
-       if (total_len <= ETHER_CRC_LEN) {
+       if (total_len <= ETHER_CRC_LEN || total_len > URL_BUFSZ) {
                ifp->if_ierrors++;
                goto done;
        }
+
+       memcpy(mtod(c->url_mbuf, char *), c->url_buf, total_len);
 
        memcpy(&rxhdr, c->url_buf + total_len - ETHER_CRC_LEN, sizeof(rxhdr));
Re: [PATCH] frame length validation for USB ethernet adapters

Reply via email to
