989d921f5d
I'm very pleased to announce the release of our new website and documentation using the new toolchain with Hugo and AsciiDoctor. To get more information about the new toolchain please read the FreeBSD Documentation Project Primer[1], Hugo docs[2] and AsciiDoctor docs[3]. Acknowledgment: Benedict Reuschling <bcr@> Glen Barber <gjb@> Hiroki Sato <hrs@> Li-Wen Hsu <lwhsu@> Sean Chittenden <seanc@> The FreeBSD Foundation [1] https://docs.FreeBSD.org/en/books/fdp-primer/ [2] https://gohugo.io/documentation/ [3] https://docs.asciidoctor.org/home/ Approved by: doceng, core
113 lines
2.7 KiB
Diff
113 lines
2.7 KiB
Diff
--- sys/dev/usb/net/if_cdceem.c.orig
|
|
+++ sys/dev/usb/net/if_cdceem.c
|
|
@@ -426,9 +426,10 @@
|
|
struct usb_ether *ue;
|
|
struct ifnet *ifp;
|
|
struct mbuf *m;
|
|
- int actlen, off;
|
|
uint32_t computed_crc, received_crc;
|
|
- uint16_t pktlen;
|
|
+ int pktlen;
|
|
+ int actlen;
|
|
+ int off;
|
|
|
|
off = *offp;
|
|
sc = usbd_xfer_softc(xfer);
|
|
@@ -442,7 +443,7 @@
|
|
(hdr & CDCEEM_DATA_CRC) ? "valid" : "absent",
|
|
pktlen);
|
|
|
|
- if (pktlen < ETHER_HDR_LEN) {
|
|
+ if (pktlen < (ETHER_HDR_LEN + 4)) {
|
|
CDCEEM_WARN(sc,
|
|
"bad ethernet frame length %d, should be at least %d",
|
|
pktlen, ETHER_HDR_LEN);
|
|
@@ -466,6 +467,14 @@
|
|
}
|
|
|
|
pktlen -= 4; /* Subtract the CRC. */
|
|
+
|
|
+ if (pktlen > m->m_len) {
|
|
+ CDCEEM_WARN(sc, "buffer too small %d vs %d bytes",
|
|
+ pktlen, m->m_len);
|
|
+ if_inc_counter(ifp, IFCOUNTER_IQDROPS, 1);
|
|
+ m_freem(m);
|
|
+ return;
|
|
+ }
|
|
usbd_copy_out(pc, off, mtod(m, uint8_t *), pktlen);
|
|
off += pktlen;
|
|
|
|
@@ -512,7 +521,7 @@
|
|
pc = usbd_xfer_get_frame(xfer, 0);
|
|
off = 0;
|
|
|
|
- while (off < actlen) {
|
|
+ while ((off + sizeof(hdr)) <= actlen) {
|
|
usbd_copy_out(pc, off, &hdr, sizeof(hdr));
|
|
CDCEEM_DEBUG(sc, "hdr = %#x", hdr);
|
|
off += sizeof(hdr);
|
|
--- sys/dev/usb/net/if_muge.c.orig
|
|
+++ sys/dev/usb/net/if_muge.c
|
|
@@ -1166,9 +1166,9 @@
|
|
struct ifnet *ifp = uether_getifp(ue);
|
|
struct mbuf *m;
|
|
struct usb_page_cache *pc;
|
|
- uint16_t pktlen;
|
|
uint32_t rx_cmd_a, rx_cmd_b;
|
|
uint16_t rx_cmd_c;
|
|
+ int pktlen;
|
|
int off;
|
|
int actlen;
|
|
|
|
@@ -1246,7 +1246,14 @@
|
|
1);
|
|
goto tr_setup;
|
|
}
|
|
-
|
|
+ if (pktlen > m->m_len) {
|
|
+ muge_dbg_printf(sc,
|
|
+ "buffer too small %d vs %d bytes",
|
|
+ pktlen, m->m_len);
|
|
+ if_inc_counter(ifp, IFCOUNTER_IQDROPS, 1);
|
|
+ m_freem(m);
|
|
+ goto tr_setup;
|
|
+ }
|
|
usbd_copy_out(pc, off, mtod(m, uint8_t *),
|
|
pktlen);
|
|
|
|
--- sys/dev/usb/net/if_smsc.c.orig
|
|
+++ sys/dev/usb/net/if_smsc.c
|
|
@@ -973,7 +973,7 @@
|
|
struct mbuf *m;
|
|
struct usb_page_cache *pc;
|
|
uint32_t rxhdr;
|
|
- uint16_t pktlen;
|
|
+ int pktlen;
|
|
int off;
|
|
int actlen;
|
|
|
|
@@ -999,6 +999,9 @@
|
|
/* The frame header is always aligned on a 4 byte boundary */
|
|
off = ((off + 0x3) & ~0x3);
|
|
|
|
+ if ((off + sizeof(rxhdr)) > actlen)
|
|
+ goto tr_setup;
|
|
+
|
|
usbd_copy_out(pc, off, &rxhdr, sizeof(rxhdr));
|
|
off += (sizeof(rxhdr) + ETHER_ALIGN);
|
|
rxhdr = le32toh(rxhdr);
|
|
@@ -1027,7 +1030,13 @@
|
|
if_inc_counter(ifp, IFCOUNTER_IQDROPS, 1);
|
|
goto tr_setup;
|
|
}
|
|
-
|
|
+ if (pktlen > m->m_len) {
|
|
+ smsc_dbg_printf(sc, "buffer too small %d vs %d bytes",
|
|
+ pktlen, m->m_len);
|
|
+ if_inc_counter(ifp, IFCOUNTER_IQDROPS, 1);
|
|
+ m_freem(m);
|
|
+ goto tr_setup;
|
|
+ }
|
|
usbd_copy_out(pc, off, mtod(m, uint8_t *), pktlen);
|
|
|
|
/* Check if RX TCP/UDP checksumming is being offloaded */
|