Tue Jun 16 10:34:49 2020 UTC ()
Pull up following revision(s) (requested by martin in ticket #1735):
	sys/dev/usb/if_run.c: revision 1.41
Better bounds checking for oversized packets, to avoid kernel memory
corruption. Pointed out by Ilja Van Sprundel.


(bouyer)
diff -r1.10.4.4 -r1.10.4.5 src/sys/dev/usb/if_run.c
cvs diff -r1.10.4.4 -r1.10.4.5 src/sys/dev/usb/if_run.c (expand / switch to unified diff)

--- src/sys/dev/usb/if_run.c 2018/08/08 10:17:11 1.10.4.4
+++ src/sys/dev/usb/if_run.c 2020/06/16 10:34:49 1.10.4.5
@@ -1,39 +1,39 @@ @@ -1,39 +1,39 @@
1/* $NetBSD: if_run.c,v 1.10.4.4 2018/08/08 10:17:11 martin Exp $ */ 1/* $NetBSD: if_run.c,v 1.10.4.5 2020/06/16 10:34:49 bouyer Exp $ */
2/* $OpenBSD: if_run.c,v 1.90 2012/03/24 15:11:04 jsg Exp $ */ 2/* $OpenBSD: if_run.c,v 1.90 2012/03/24 15:11:04 jsg Exp $ */
3 3
4/*- 4/*-
5 * Copyright (c) 2008-2010 Damien Bergamini <damien.bergamini@free.fr> 5 * Copyright (c) 2008-2010 Damien Bergamini <damien.bergamini@free.fr>
6 * 6 *
7 * Permission to use, copy, modify, and distribute this software for any 7 * Permission to use, copy, modify, and distribute this software for any
8 * purpose with or without fee is hereby granted, provided that the above 8 * purpose with or without fee is hereby granted, provided that the above
9 * copyright notice and this permission notice appear in all copies. 9 * copyright notice and this permission notice appear in all copies.
10 * 10 *
11 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES 11 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
12 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF 12 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
13 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR 13 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
14 * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES 14 * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
15 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN 15 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
16 * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF 16 * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
17 * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. 17 * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
18 */ 18 */
19 19
20/*- 20/*-
21 * Ralink Technology RT2700U/RT2800U/RT3000U chipset driver. 21 * Ralink Technology RT2700U/RT2800U/RT3000U chipset driver.
22 * http://www.ralinktech.com/ 22 * http://www.ralinktech.com/
23 */ 23 */
24 24
25#include <sys/cdefs.h> 25#include <sys/cdefs.h>
26__KERNEL_RCSID(0, "$NetBSD: if_run.c,v 1.10.4.4 2018/08/08 10:17:11 martin Exp $"); 26__KERNEL_RCSID(0, "$NetBSD: if_run.c,v 1.10.4.5 2020/06/16 10:34:49 bouyer Exp $");
27 27
28#ifdef _KERNEL_OPT 28#ifdef _KERNEL_OPT
29#include "opt_usb.h" 29#include "opt_usb.h"
30#endif 30#endif
31 31
32#include <sys/param.h> 32#include <sys/param.h>
33#include <sys/sockio.h> 33#include <sys/sockio.h>
34#include <sys/sysctl.h> 34#include <sys/sysctl.h>
35#include <sys/mbuf.h> 35#include <sys/mbuf.h>
36#include <sys/kernel.h> 36#include <sys/kernel.h>
37#include <sys/socket.h> 37#include <sys/socket.h>
38#include <sys/systm.h> 38#include <sys/systm.h>
39#include <sys/malloc.h> 39#include <sys/malloc.h>
@@ -2057,27 +2057,28 @@ run_rx_frame(struct run_softc *sc, uint8 @@ -2057,27 +2057,28 @@ run_rx_frame(struct run_softc *sc, uint8
2057 if (flags & RT2860_RX_L2PAD) { 2057 if (flags & RT2860_RX_L2PAD) {
2058 u_int hdrlen = ieee80211_hdrspace(ic, wh); 2058 u_int hdrlen = ieee80211_hdrspace(ic, wh);
2059 ovbcopy(wh, (uint8_t *)wh + 2, hdrlen); 2059 ovbcopy(wh, (uint8_t *)wh + 2, hdrlen);
2060 wh = (struct ieee80211_frame *)((uint8_t *)wh + 2); 2060 wh = (struct ieee80211_frame *)((uint8_t *)wh + 2);
2061 } 2061 }
2062 2062
2063 /* could use m_devget but net80211 wants contig mgmt frames */ 2063 /* could use m_devget but net80211 wants contig mgmt frames */
2064 MGETHDR(m, M_DONTWAIT, MT_DATA); 2064 MGETHDR(m, M_DONTWAIT, MT_DATA);
2065 if (__predict_false(m == NULL)) { 2065 if (__predict_false(m == NULL)) {
2066 ifp->if_ierrors++; 2066 ifp->if_ierrors++;
2067 return; 2067 return;
2068 } 2068 }
2069 if (len > MHLEN) { 2069 if (len > MHLEN) {
2070 MCLGET(m, M_DONTWAIT); 2070 if (__predict_true(len <= MCLBYTES))
 2071 MCLGET(m, M_DONTWAIT);
2071 if (__predict_false(!(m->m_flags & M_EXT))) { 2072 if (__predict_false(!(m->m_flags & M_EXT))) {
2072 ifp->if_ierrors++; 2073 ifp->if_ierrors++;
2073 m_freem(m); 2074 m_freem(m);
2074 return; 2075 return;
2075 } 2076 }
2076 } 2077 }
2077 /* finalize mbuf */ 2078 /* finalize mbuf */
2078 m->m_pkthdr.rcvif = ifp; 2079 m->m_pkthdr.rcvif = ifp;
2079 memcpy(mtod(m, void *), wh, len); 2080 memcpy(mtod(m, void *), wh, len);
2080 m->m_pkthdr.len = m->m_len = len; 2081 m->m_pkthdr.len = m->m_len = len;
2081 2082
2082 ant = run_maxrssi_chain(sc, rxwi); 2083 ant = run_maxrssi_chain(sc, rxwi);
2083 rssi = rxwi->rssi[ant]; 2084 rssi = rxwi->rssi[ant];