Fri Aug 28 19:36:34 2020 UTC ()
Pull up following revision(s) (requested by riastradh in ticket #1067):

	sys/dev/usb/usbnet.c: revision 1.39
	sys/dev/usb/if_atu.c: revision 1.73

usbnet: Reject buflen>MCLBYTES in usbnet_newbuf.
atu(4): Reject packets larger than MCLBYTES.


(martin)
diff -r1.65 -r1.65.2.1 src/sys/dev/usb/if_atu.c
diff -r1.25.2.4 -r1.25.2.5 src/sys/dev/usb/usbnet.c
cvs diff -r1.65 -r1.65.2.1 src/sys/dev/usb/if_atu.c (expand / switch to unified diff)

--- src/sys/dev/usb/if_atu.c 2019/05/05 03:17:54 1.65
+++ src/sys/dev/usb/if_atu.c 2020/08/28 19:36:34 1.65.2.1
@@ -1,14 +1,14 @@ @@ -1,14 +1,14 @@
1/* $NetBSD: if_atu.c,v 1.65 2019/05/05 03:17:54 mrg Exp $ */ 1/* $NetBSD: if_atu.c,v 1.65.2.1 2020/08/28 19:36:34 martin Exp $ */
2/* $OpenBSD: if_atu.c,v 1.48 2004/12/30 01:53:21 dlg Exp $ */ 2/* $OpenBSD: if_atu.c,v 1.48 2004/12/30 01:53:21 dlg Exp $ */
3/* 3/*
4 * Copyright (c) 2003, 2004 4 * Copyright (c) 2003, 2004
5 * Daan Vreeken <Danovitsch@Vitsch.net>. All rights reserved. 5 * Daan Vreeken <Danovitsch@Vitsch.net>. All rights reserved.
6 * 6 *
7 * Redistribution and use in source and binary forms, with or without 7 * Redistribution and use in source and binary forms, with or without
8 * modification, are permitted provided that the following conditions 8 * modification, are permitted provided that the following conditions
9 * are met: 9 * are met:
10 * 1. Redistributions of source code must retain the above copyright 10 * 1. Redistributions of source code must retain the above copyright
11 * notice, this list of conditions and the following disclaimer. 11 * notice, this list of conditions and the following disclaimer.
12 * 2. Redistributions in binary form must reproduce the above copyright 12 * 2. Redistributions in binary form must reproduce the above copyright
13 * notice, this list of conditions and the following disclaimer in the 13 * notice, this list of conditions and the following disclaimer in the
14 * documentation and/or other materials provided with the distribution. 14 * documentation and/or other materials provided with the distribution.
@@ -38,27 +38,27 @@ @@ -38,27 +38,27 @@
38 * 38 *
39 * Originally written by Daan Vreeken <Danovitsch @ Vitsch . net> 39 * Originally written by Daan Vreeken <Danovitsch @ Vitsch . net>
40 * http://vitsch.net/bsd/atuwi 40 * http://vitsch.net/bsd/atuwi
41 * 41 *
42 * Contributed to by : 42 * Contributed to by :
43 * Chris Whitehouse, Alistair Phillips, Peter Pilka, Martijn van Buul, 43 * Chris Whitehouse, Alistair Phillips, Peter Pilka, Martijn van Buul,
44 * Suihong Liang, Arjan van Leeuwen, Stuart Walsh 44 * Suihong Liang, Arjan van Leeuwen, Stuart Walsh
45 * 45 *
46 * Ported to OpenBSD by Theo de Raadt and David Gwynne. 46 * Ported to OpenBSD by Theo de Raadt and David Gwynne.
47 * Ported to NetBSD by Jesse Off 47 * Ported to NetBSD by Jesse Off
48 */ 48 */
49 49
50#include <sys/cdefs.h> 50#include <sys/cdefs.h>
51__KERNEL_RCSID(0, "$NetBSD: if_atu.c,v 1.65 2019/05/05 03:17:54 mrg Exp $"); 51__KERNEL_RCSID(0, "$NetBSD: if_atu.c,v 1.65.2.1 2020/08/28 19:36:34 martin Exp $");
52 52
53#ifdef _KERNEL_OPT 53#ifdef _KERNEL_OPT
54#include "opt_usb.h" 54#include "opt_usb.h"
55#endif 55#endif
56 56
57#include <sys/param.h> 57#include <sys/param.h>
58#include <sys/sockio.h> 58#include <sys/sockio.h>
59#include <sys/mbuf.h> 59#include <sys/mbuf.h>
60#include <sys/kernel.h> 60#include <sys/kernel.h>
61#include <sys/socket.h> 61#include <sys/socket.h>
62#include <sys/systm.h> 62#include <sys/systm.h>
63#include <sys/kthread.h> 63#include <sys/kthread.h>
64#include <sys/queue.h> 64#include <sys/queue.h>
@@ -1670,26 +1670,30 @@ atu_rxeof(struct usbd_xfer *xfer, void * @@ -1670,26 +1670,30 @@ atu_rxeof(struct usbd_xfer *xfer, void *
1670 } 1670 }
1671 if (status == USBD_STALLED) 1671 if (status == USBD_STALLED)
1672 usbd_clear_endpoint_stall_async( 1672 usbd_clear_endpoint_stall_async(
1673 sc->atu_ep[ATU_ENDPT_RX]); 1673 sc->atu_ep[ATU_ENDPT_RX]);
1674 goto done; 1674 goto done;
1675 } 1675 }
1676 1676
1677 usbd_get_xfer_status(xfer, NULL, NULL, &len, NULL); 1677 usbd_get_xfer_status(xfer, NULL, NULL, &len, NULL);
1678 1678
1679 if (len <= 1) { 1679 if (len <= 1) {
1680 DPRINTF(("%s: atu_rxeof: too short\n", 1680 DPRINTF(("%s: atu_rxeof: too short\n",
1681 device_xname(sc->atu_dev))); 1681 device_xname(sc->atu_dev)));
1682 goto done; 1682 goto done;
 1683 } else if (len > MCLBYTES) {
 1684 DPRINTF(("%s: atu_rxeof: too long\n",
 1685 device_xname(sc->atu_dev)));
 1686 goto done;
1683 } 1687 }
1684 1688
1685 h = (struct atu_rx_hdr *)c->atu_buf; 1689 h = (struct atu_rx_hdr *)c->atu_buf;
1686 len = UGETW(h->length) - 4; /* XXX magic number */ 1690 len = UGETW(h->length) - 4; /* XXX magic number */
1687 1691
1688 m = c->atu_mbuf; 1692 m = c->atu_mbuf;
1689 memcpy(mtod(m, char *), c->atu_buf + ATU_RX_HDRLEN, len); 1693 memcpy(mtod(m, char *), c->atu_buf + ATU_RX_HDRLEN, len);
1690 m_set_rcvif(m, ifp); 1694 m_set_rcvif(m, ifp);
1691 m->m_pkthdr.len = m->m_len = len; 1695 m->m_pkthdr.len = m->m_len = len;
1692 1696
1693 wh = mtod(m, struct ieee80211_frame_min *); 1697 wh = mtod(m, struct ieee80211_frame_min *);
1694 ni = ieee80211_find_rxnode(ic, wh); 1698 ni = ieee80211_find_rxnode(ic, wh);
1695 1699
cvs diff -r1.25.2.4 -r1.25.2.5 src/sys/dev/usb/usbnet.c (expand / switch to unified diff)

--- src/sys/dev/usb/usbnet.c 2019/12/17 12:55:10 1.25.2.4
+++ src/sys/dev/usb/usbnet.c 2020/08/28 19:36:34 1.25.2.5
@@ -1,14 +1,14 @@ @@ -1,14 +1,14 @@
1/* $NetBSD: usbnet.c,v 1.25.2.4 2019/12/17 12:55:10 martin Exp $ */ 1/* $NetBSD: usbnet.c,v 1.25.2.5 2020/08/28 19:36:34 martin Exp $ */
2 2
3/* 3/*
4 * Copyright (c) 2019 Matthew R. Green 4 * Copyright (c) 2019 Matthew R. Green
5 * All rights reserved. 5 * All rights reserved.
6 * 6 *
7 * Redistribution and use in source and binary forms, with or without 7 * Redistribution and use in source and binary forms, with or without
8 * modification, are permitted provided that the following conditions 8 * modification, are permitted provided that the following conditions
9 * are met: 9 * are met:
10 * 1. Redistributions of source code must retain the above copyright 10 * 1. Redistributions of source code must retain the above copyright
11 * notice, this list of conditions and the following disclaimer. 11 * notice, this list of conditions and the following disclaimer.
12 * 2. Redistributions in binary form must reproduce the above copyright 12 * 2. Redistributions in binary form must reproduce the above copyright
13 * notice, this list of conditions and the following disclaimer in the 13 * notice, this list of conditions and the following disclaimer in the
14 * documentation and/or other materials provided with the distribution. 14 * documentation and/or other materials provided with the distribution.
@@ -23,27 +23,27 @@ @@ -23,27 +23,27 @@
23 * BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; 23 * BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
24 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED 24 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED
25 * AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, 25 * AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
26 * OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 26 * OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
27 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 27 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
28 * SUCH DAMAGE. 28 * SUCH DAMAGE.
29 */ 29 */
30 30
31/* 31/*
32 * Common code shared between USB network drivers. 32 * Common code shared between USB network drivers.
33 */ 33 */
34 34
35#include <sys/cdefs.h> 35#include <sys/cdefs.h>
36__KERNEL_RCSID(0, "$NetBSD: usbnet.c,v 1.25.2.4 2019/12/17 12:55:10 martin Exp $"); 36__KERNEL_RCSID(0, "$NetBSD: usbnet.c,v 1.25.2.5 2020/08/28 19:36:34 martin Exp $");
37 37
38#include <sys/param.h> 38#include <sys/param.h>
39#include <sys/kernel.h> 39#include <sys/kernel.h>
40#include <sys/kmem.h> 40#include <sys/kmem.h>
41#include <sys/module.h> 41#include <sys/module.h>
42#include <sys/atomic.h> 42#include <sys/atomic.h>
43 43
44#include <dev/usb/usbnet.h> 44#include <dev/usb/usbnet.h>
45#include <dev/usb/usbhist.h> 45#include <dev/usb/usbhist.h>
46 46
47struct usbnet_cdata { 47struct usbnet_cdata {
48 struct usbnet_chain *uncd_tx_chain; 48 struct usbnet_chain *uncd_tx_chain;
49 struct usbnet_chain *uncd_rx_chain; 49 struct usbnet_chain *uncd_rx_chain;
@@ -217,26 +217,29 @@ static void @@ -217,26 +217,29 @@ static void
217uno_intr(struct usbnet *un, usbd_status status) 217uno_intr(struct usbnet *un, usbd_status status)
218{ 218{
219 if (un->un_ops->uno_intr) 219 if (un->un_ops->uno_intr)
220 (*un->un_ops->uno_intr)(un, status); 220 (*un->un_ops->uno_intr)(un, status);
221} 221}
222 222
223/* Interrupt handling. */ 223/* Interrupt handling. */
224 224
225static struct mbuf * 225static struct mbuf *
226usbnet_newbuf(size_t buflen) 226usbnet_newbuf(size_t buflen)
227{ 227{
228 struct mbuf *m; 228 struct mbuf *m;
229 229
 230 if (buflen > MCLBYTES)
 231 return NULL;
 232
230 MGETHDR(m, M_DONTWAIT, MT_DATA); 233 MGETHDR(m, M_DONTWAIT, MT_DATA);
231 if (m == NULL) 234 if (m == NULL)
232 return NULL; 235 return NULL;
233 236
234 if (buflen > MHLEN - ETHER_ALIGN) { 237 if (buflen > MHLEN - ETHER_ALIGN) {
235 MCLGET(m, M_DONTWAIT); 238 MCLGET(m, M_DONTWAIT);
236 if (!(m->m_flags & M_EXT)) { 239 if (!(m->m_flags & M_EXT)) {
237 m_freem(m); 240 m_freem(m);
238 return NULL; 241 return NULL;
239 } 242 }
240 } 243 }
241 244
242 m_adj(m, ETHER_ALIGN); 245 m_adj(m, ETHER_ALIGN);