Source-Changes-HG archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
[src/netbsd-8]: src/sys/dev/usb Pull up following revision(s) (requested by m...
details: https://anonhg.NetBSD.org/src/rev/27632e617448
branches: netbsd-8
changeset: 934688:27632e617448
user: bouyer <bouyer%NetBSD.org@localhost>
date: Tue Jun 16 10:27:03 2020 +0000
description:
Pull up following revision(s) (requested by martin in ticket #1558):
sys/dev/usb/if_otus.c: revision 1.45 via patch
Stricter bounds check for some packet length we get from the usb chip,
to make sure we do not corrupt kernel memory.
Pointed out by Ilja Van Sprundel.
diffstat:
sys/dev/usb/if_otus.c | 11 ++++++++---
1 files changed, 8 insertions(+), 3 deletions(-)
diffs (39 lines):
diff -r 09bc46fbc7d1 -r 27632e617448 sys/dev/usb/if_otus.c
--- a/sys/dev/usb/if_otus.c Tue Jun 16 10:23:04 2020 +0000
+++ b/sys/dev/usb/if_otus.c Tue Jun 16 10:27:03 2020 +0000
@@ -1,4 +1,4 @@
-/* $NetBSD: if_otus.c,v 1.31.2.2 2018/08/08 10:28:35 martin Exp $ */
+/* $NetBSD: if_otus.c,v 1.31.2.3 2020/06/16 10:27:03 bouyer Exp $ */
/* $OpenBSD: if_otus.c,v 1.18 2010/08/27 17:08:00 jsg Exp $ */
/*-
@@ -23,7 +23,7 @@
*/
#include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: if_otus.c,v 1.31.2.2 2018/08/08 10:28:35 martin Exp $");
+__KERNEL_RCSID(0, "$NetBSD: if_otus.c,v 1.31.2.3 2020/06/16 10:27:03 bouyer Exp $");
#ifdef _KERNEL_OPT
#include "opt_usb.h"
@@ -1745,6 +1745,10 @@
}
/* Compute MPDU's length. */
mlen = len - AR_PLCP_HDR_LEN - sizeof(*tail);
+ if (__predict_false(mlen < IEEE80211_CRC_LEN)) {
+ ifp->if_ierrors++;
+ return;
+ }
mlen -= IEEE80211_CRC_LEN; /* strip 802.11 FCS */
/* Make sure there's room for an 802.11 header. */
/*
@@ -1765,7 +1769,8 @@
return;
}
if (align + mlen > MHLEN) {
- MCLGET(m, M_DONTWAIT);
+ if (__predict_true(align + mlen <= MCLBYTES))
+ MCLGET(m, M_DONTWAIT);
if (__predict_false(!(m->m_flags & M_EXT))) {
ifp->if_ierrors++;
m_freem(m);
Home |
Main Index |
Thread Index |
Old Index