diff options
| author | Mark Johnston <markj@FreeBSD.org> | 2022-04-05 22:52:18 +0000 |
|---|---|---|
| committer | Ed Maste <emaste@FreeBSD.org> | 2022-04-05 23:00:28 +0000 |
| commit | 629df7c108abe26496c3a5c196cce79a47bc1f21 (patch) | |
| tree | 43b1e4c8e92c1062c4e6099740399026c6e16a7b | |
| parent | ca211d5f64999e5efe6ac3459d912aa6f8d0546e (diff) | |
| download | src-629df7c108abe26496c3a5c196cce79a47bc1f21.tar.gz src-629df7c108abe26496c3a5c196cce79a47bc1f21.zip | |
bhyve: validate e82545 checksum offset field
Reported by: Mehdi Talbi, Synacktiv
(cherry picked from commit b0aa20bec5db244980a0248e24dd6b8e1e68c4d0)
(cherry picked from commit 53f72209479885dfa6a7e6ed68cbc82c68464f4b)
| -rw-r--r-- | usr.sbin/bhyve/pci_e82545.c | 9 |
1 files changed, 6 insertions, 3 deletions
diff --git a/usr.sbin/bhyve/pci_e82545.c b/usr.sbin/bhyve/pci_e82545.c index c6ca5882a535..2a1e54d89c59 100644 --- a/usr.sbin/bhyve/pci_e82545.c +++ b/usr.sbin/bhyve/pci_e82545.c @@ -1275,9 +1275,7 @@ e82545_transmit(struct e82545_softc *sc, uint16_t head, uint16_t tail, goto done; } if (sc->esc_txctx.cmd_and_length & E1000_TXD_CMD_TCP) { - if (hdrlen < ckinfo[1].ck_start + 14 || - (ckinfo[1].ck_valid && - hdrlen < ckinfo[1].ck_off + 2)) { + if (hdrlen < ckinfo[1].ck_start + 14) { WPRINTF("TSO hdrlen too small for TCP fields " "(%d) -- dropped", hdrlen); goto done; @@ -1289,6 +1287,11 @@ e82545_transmit(struct e82545_softc *sc, uint16_t head, uint16_t tail, goto done; } } + if (ckinfo[1].ck_valid && hdrlen < ckinfo[1].ck_off + 2) { + WPRINTF("TSO hdrlen too small for TCP/UDP fields " + "(%d) -- dropped", hdrlen); + goto done; + } } /* Allocate, fill and prepend writable header vector. */ |