Source-Changes-HG archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
[src/netbsd-9]: src/sys/dev/usb Pull up following revision (requested by mart...
details: https://anonhg.NetBSD.org/src/rev/93c45ce97221
branches: netbsd-9
changeset: 934406:93c45ce97221
user: jdc <jdc%NetBSD.org@localhost>
date: Thu Jun 11 11:01:20 2020 +0000
description:
Pull up following revision (requested by martin in ticket #957):
src/sys/dev/usb/if_otus.c: revision 1.45 (via patch)
Stricter bounds check for some packet length we get from the usb chip,
to make sure we do not corrupt kernel memory.
Pointed out by Ilja Van Sprundel.
diffstat:
sys/dev/usb/if_otus.c | 11 ++++++++---
1 files changed, 8 insertions(+), 3 deletions(-)
diffs (39 lines):
diff -r 6a46bb3e5e8f -r 93c45ce97221 sys/dev/usb/if_otus.c
--- a/sys/dev/usb/if_otus.c Sun Jun 07 19:08:12 2020 +0000
+++ b/sys/dev/usb/if_otus.c Thu Jun 11 11:01:20 2020 +0000
@@ -1,4 +1,4 @@
-/* $NetBSD: if_otus.c,v 1.38 2019/05/28 07:41:50 msaitoh Exp $ */
+/* $NetBSD: if_otus.c,v 1.38.2.1 2020/06/11 11:01:20 jdc Exp $ */
/* $OpenBSD: if_otus.c,v 1.18 2010/08/27 17:08:00 jsg Exp $ */
/*-
@@ -23,7 +23,7 @@
*/
#include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: if_otus.c,v 1.38 2019/05/28 07:41:50 msaitoh Exp $");
+__KERNEL_RCSID(0, "$NetBSD: if_otus.c,v 1.38.2.1 2020/06/11 11:01:20 jdc Exp $");
#ifdef _KERNEL_OPT
#include "opt_usb.h"
@@ -1745,6 +1745,10 @@
}
/* Compute MPDU's length. */
mlen = len - AR_PLCP_HDR_LEN - sizeof(*tail);
+ if (__predict_false(mlen < IEEE80211_CRC_LEN)) {
+ ifp->if_ierrors++;
+ return;
+ }
mlen -= IEEE80211_CRC_LEN; /* strip 802.11 FCS */
/* Make sure there's room for an 802.11 header. */
/*
@@ -1765,7 +1769,8 @@
return;
}
if (align + mlen > MHLEN) {
- MCLGET(m, M_DONTWAIT);
+ if (__predict_true(align + mlen <= MCLBYTES))
+ MCLGET(m, M_DONTWAIT);
if (__predict_false(!(m->m_flags & M_EXT))) {
ifp->if_ierrors++;
m_freem(m);
Home |
Main Index |
Thread Index |
Old Index