1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
|
--- sys/dev/usb/net/if_smsc.c.orig
+++ sys/dev/usb/net/if_smsc.c
@@ -970,7 +970,7 @@
struct mbuf *m;
struct usb_page_cache *pc;
uint32_t rxhdr;
- uint16_t pktlen;
+ int pktlen;
int off;
int actlen;
@@ -996,6 +996,9 @@
/* The frame header is always aligned on a 4 byte boundary */
off = ((off + 0x3) & ~0x3);
+ if ((off + sizeof(rxhdr)) > actlen)
+ goto tr_setup;
+
usbd_copy_out(pc, off, &rxhdr, sizeof(rxhdr));
off += (sizeof(rxhdr) + ETHER_ALIGN);
rxhdr = le32toh(rxhdr);
@@ -1024,7 +1027,13 @@
if_inc_counter(ifp, IFCOUNTER_IQDROPS, 1);
goto tr_setup;
}
-
+ if (pktlen > m->m_len) {
+ smsc_dbg_printf(sc, "buffer too small %d vs %d bytes",
+ pktlen, m->m_len);
+ if_inc_counter(ifp, IFCOUNTER_IQDROPS, 1);
+ m_freem(m);
+ goto tr_setup;
+ }
usbd_copy_out(pc, off, mtod(m, uint8_t *), pktlen);
/* Check if RX TCP/UDP checksumming is being offloaded */
|
