113 lines
2.7 KiB
Diff
113 lines
2.7 KiB
Diff
--- sys/dev/usb/net/if_cdceem.c.orig
|
|
+++ sys/dev/usb/net/if_cdceem.c
|
|
@@ -426,9 +426,10 @@
|
|
struct usb_ether *ue;
|
|
struct ifnet *ifp;
|
|
struct mbuf *m;
|
|
- int actlen, off;
|
|
uint32_t computed_crc, received_crc;
|
|
- uint16_t pktlen;
|
|
+ int pktlen;
|
|
+ int actlen;
|
|
+ int off;
|
|
|
|
off = *offp;
|
|
sc = usbd_xfer_softc(xfer);
|
|
@@ -442,7 +443,7 @@
|
|
(hdr & CDCEEM_DATA_CRC) ? "valid" : "absent",
|
|
pktlen);
|
|
|
|
- if (pktlen < ETHER_HDR_LEN) {
|
|
+ if (pktlen < (ETHER_HDR_LEN + 4)) {
|
|
CDCEEM_WARN(sc,
|
|
"bad ethernet frame length %d, should be at least %d",
|
|
pktlen, ETHER_HDR_LEN);
|
|
@@ -466,6 +467,14 @@
|
|
}
|
|
|
|
pktlen -= 4; /* Subtract the CRC. */
|
|
+
|
|
+ if (pktlen > m->m_len) {
|
|
+ CDCEEM_WARN(sc, "buffer too small %d vs %d bytes",
|
|
+ pktlen, m->m_len);
|
|
+ if_inc_counter(ifp, IFCOUNTER_IQDROPS, 1);
|
|
+ m_freem(m);
|
|
+ return;
|
|
+ }
|
|
usbd_copy_out(pc, off, mtod(m, uint8_t *), pktlen);
|
|
off += pktlen;
|
|
|
|
@@ -512,7 +521,7 @@
|
|
pc = usbd_xfer_get_frame(xfer, 0);
|
|
off = 0;
|
|
|
|
- while (off < actlen) {
|
|
+ while ((off + sizeof(hdr)) <= actlen) {
|
|
usbd_copy_out(pc, off, &hdr, sizeof(hdr));
|
|
CDCEEM_DEBUG(sc, "hdr = %#x", hdr);
|
|
off += sizeof(hdr);
|
|
--- sys/dev/usb/net/if_muge.c.orig
|
|
+++ sys/dev/usb/net/if_muge.c
|
|
@@ -1166,9 +1166,9 @@
|
|
struct ifnet *ifp = uether_getifp(ue);
|
|
struct mbuf *m;
|
|
struct usb_page_cache *pc;
|
|
- uint16_t pktlen;
|
|
uint32_t rx_cmd_a, rx_cmd_b;
|
|
uint16_t rx_cmd_c;
|
|
+ int pktlen;
|
|
int off;
|
|
int actlen;
|
|
|
|
@@ -1246,7 +1246,14 @@
|
|
1);
|
|
goto tr_setup;
|
|
}
|
|
-
|
|
+ if (pktlen > m->m_len) {
|
|
+ muge_dbg_printf(sc,
|
|
+ "buffer too small %d vs %d bytes",
|
|
+ pktlen, m->m_len);
|
|
+ if_inc_counter(ifp, IFCOUNTER_IQDROPS, 1);
|
|
+ m_freem(m);
|
|
+ goto tr_setup;
|
|
+ }
|
|
usbd_copy_out(pc, off, mtod(m, uint8_t *),
|
|
pktlen);
|
|
|
|
--- sys/dev/usb/net/if_smsc.c.orig
|
|
+++ sys/dev/usb/net/if_smsc.c
|
|
@@ -973,7 +973,7 @@
|
|
struct mbuf *m;
|
|
struct usb_page_cache *pc;
|
|
uint32_t rxhdr;
|
|
- uint16_t pktlen;
|
|
+ int pktlen;
|
|
int off;
|
|
int actlen;
|
|
|
|
@@ -999,6 +999,9 @@
|
|
/* The frame header is always aligned on a 4 byte boundary */
|
|
off = ((off + 0x3) & ~0x3);
|
|
|
|
+ if ((off + sizeof(rxhdr)) > actlen)
|
|
+ goto tr_setup;
|
|
+
|
|
usbd_copy_out(pc, off, &rxhdr, sizeof(rxhdr));
|
|
off += (sizeof(rxhdr) + ETHER_ALIGN);
|
|
rxhdr = le32toh(rxhdr);
|
|
@@ -1027,7 +1030,13 @@
|
|
if_inc_counter(ifp, IFCOUNTER_IQDROPS, 1);
|
|
goto tr_setup;
|
|
}
|
|
-
|
|
+ if (pktlen > m->m_len) {
|
|
+ smsc_dbg_printf(sc, "buffer too small %d vs %d bytes",
|
|
+ pktlen, m->m_len);
|
|
+ if_inc_counter(ifp, IFCOUNTER_IQDROPS, 1);
|
|
+ m_freem(m);
|
|
+ goto tr_setup;
|
|
+ }
|
|
usbd_copy_out(pc, off, mtod(m, uint8_t *), pktlen);
|
|
|
|
/* Check if RX TCP/UDP checksumming is being offloaded */
|