Source-Changes-HG archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
[src/netbsd-7]: src/sys/dev/usb Pull up following revision(s) (requested by m...
details: https://anonhg.NetBSD.org/src/rev/f3c482fee084
branches: netbsd-7
changeset: 934691:f3c482fee084
user: bouyer <bouyer%NetBSD.org@localhost>
date: Tue Jun 16 10:33:38 2020 +0000
description:
Pull up following revision(s) (requested by martin in ticket #1734):
sys/dev/usb/if_otus.c: revision 1.45 via patch
Stricter bounds check for some packet length we get from the usb chip,
to make sure we do not corrupt kernel memory.
Pointed out by Ilja Van Sprundel.
diffstat:
sys/dev/usb/if_otus.c | 11 ++++++++---
1 files changed, 8 insertions(+), 3 deletions(-)
diffs (39 lines):
diff -r a691619bdc15 -r f3c482fee084 sys/dev/usb/if_otus.c
--- a/sys/dev/usb/if_otus.c Sun Jun 07 16:46:01 2020 +0000
+++ b/sys/dev/usb/if_otus.c Tue Jun 16 10:33:38 2020 +0000
@@ -1,4 +1,4 @@
-/* $NetBSD: if_otus.c,v 1.25.4.3 2018/08/08 10:17:11 martin Exp $ */
+/* $NetBSD: if_otus.c,v 1.25.4.4 2020/06/16 10:33:38 bouyer Exp $ */
/* $OpenBSD: if_otus.c,v 1.18 2010/08/27 17:08:00 jsg Exp $ */
/*-
@@ -23,7 +23,7 @@
*/
#include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: if_otus.c,v 1.25.4.3 2018/08/08 10:17:11 martin Exp $");
+__KERNEL_RCSID(0, "$NetBSD: if_otus.c,v 1.25.4.4 2020/06/16 10:33:38 bouyer Exp $");
#ifdef _KERNEL_OPT
#include "opt_usb.h"
@@ -1750,6 +1750,10 @@
}
/* Compute MPDU's length. */
mlen = len - AR_PLCP_HDR_LEN - sizeof(*tail);
+ if (__predict_false(mlen < IEEE80211_CRC_LEN)) {
+ ifp->if_ierrors++;
+ return;
+ }
mlen -= IEEE80211_CRC_LEN; /* strip 802.11 FCS */
/* Make sure there's room for an 802.11 header. */
/*
@@ -1770,7 +1774,8 @@
return;
}
if (align + mlen > MHLEN) {
- MCLGET(m, M_DONTWAIT);
+ if (__predict_true(align + mlen <= MCLBYTES))
+ MCLGET(m, M_DONTWAIT);
if (__predict_false(!(m->m_flags & M_EXT))) {
ifp->if_ierrors++;
m_freem(m);
Home |
Main Index |
Thread Index |
Old Index