diff options
| author | Mark Johnston <markj@FreeBSD.org> | 2022-04-05 23:26:02 +0000 |
|---|---|---|
| committer | Ed Maste <emaste@FreeBSD.org> | 2022-04-05 23:26:02 +0000 |
| commit | b85c68857da3fdd833c4c146e2f5f49f4c16b0d7 (patch) | |
| tree | fbe9c30ef130e88f4da1b626498a7adc78ecc8a5 | |
| parent | 4996f46e03a442765c56b562c04c6e3ceae0104c (diff) | |
bhyve: validate e82545 checksum offset field
Reported by: Mehdi Talbi, Synacktiv
(cherry picked from commit b0aa20bec5db244980a0248e24dd6b8e1e68c4d0)
(cherry picked from commit 53f72209479885dfa6a7e6ed68cbc82c68464f4b)
Approved by: so
Security: CVE-2022-23087
Security: FreeBSD-SA-22:05.bhyve
| -rw-r--r-- | usr.sbin/bhyve/pci_e82545.c | 9 |
1 files changed, 6 insertions, 3 deletions
diff --git a/usr.sbin/bhyve/pci_e82545.c b/usr.sbin/bhyve/pci_e82545.c index 2d09c024f258..9581e616c76c 100644 --- a/usr.sbin/bhyve/pci_e82545.c +++ b/usr.sbin/bhyve/pci_e82545.c @@ -1277,9 +1277,7 @@ e82545_transmit(struct e82545_softc *sc, uint16_t head, uint16_t tail, goto done; } if (sc->esc_txctx.cmd_and_length & E1000_TXD_CMD_TCP) { - if (hdrlen < ckinfo[1].ck_start + 14 || - (ckinfo[1].ck_valid && - hdrlen < ckinfo[1].ck_off + 2)) { + if (hdrlen < ckinfo[1].ck_start + 14) { WPRINTF("TSO hdrlen too small for TCP fields " "(%d) -- dropped", hdrlen); goto done; @@ -1291,6 +1289,11 @@ e82545_transmit(struct e82545_softc *sc, uint16_t head, uint16_t tail, goto done; } } + if (ckinfo[1].ck_valid && hdrlen < ckinfo[1].ck_off + 2) { + WPRINTF("TSO hdrlen too small for TCP/UDP fields " + "(%d) -- dropped", hdrlen); + goto done; + } } /* Allocate, fill and prepend writable header vector. */ |