Skip site navigation (1)Skip section navigation (2) 
Date:      Fri, 6 Nov 2015 12:54:27 +0000 (UTC)
From:      Hans Petter Selasky <hselasky@FreeBSD.org>
To:        src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-head@freebsd.org
Subject:   svn commit: r290441 - head/sys/dev/usb/net
Message-ID:  <201511061254.tA6CsR3q007971@repo.freebsd.org>
next in thread | raw e-mail | index | archive | help 
Author: hselasky
Date: Fri Nov  6 12:54:27 2015
New Revision: 290441
URL: https://svnweb.freebsd.org/changeset/base/290441

Log:
  Fix for unaligned IP-header.
  
  The mbuf length fields must be set before m_adj() is called else
  m_adj() will not always adjust the mbuf and an unaligned read
  exception can trigger inside the network stack. This can happen on
  platforms where unaligned reads are not supported. Adjust a length
  check to include the 2-byte ethernet alignment while at it.
  
  MFC after:	3 days

Modified:
  head/sys/dev/usb/net/if_cdce.c
  head/sys/dev/usb/net/if_urndis.c

Modified: head/sys/dev/usb/net/if_cdce.c
==============================================================================
--- head/sys/dev/usb/net/if_cdce.c	Fri Nov  6 12:02:24 2015	(r290440)
+++ head/sys/dev/usb/net/if_cdce.c	Fri Nov  6 12:54:27 2015	(r290441)
@@ -1535,6 +1535,7 @@ cdce_ncm_bulk_read_callback(struct usb_x
 
 			/* check if we have a buffer */
 			if (m) {
+				m->m_len = m->m_pkthdr.len = temp + ETHER_ALIGN;
 				m_adj(m, ETHER_ALIGN);
 
 				usbd_copy_out(pc, offset, m->m_data, temp);

Modified: head/sys/dev/usb/net/if_urndis.c
==============================================================================
--- head/sys/dev/usb/net/if_urndis.c	Fri Nov  6 12:02:24 2015	(r290440)
+++ head/sys/dev/usb/net/if_urndis.c	Fri Nov  6 12:54:27 2015	(r290441)
@@ -884,7 +884,7 @@ urndis_bulk_read_callback(struct usb_xfe
 				DPRINTF("invalid ethernet size "
 				    "%u < %u\n", msg.rm_datalen, (unsigned)sizeof(struct ether_header));
 				goto tr_setup;
-			} else if (msg.rm_datalen > (uint32_t)MCLBYTES) {
+			} else if (msg.rm_datalen > (uint32_t)(MCLBYTES - ETHER_ALIGN)) {
 				if_inc_counter(ifp, IFCOUNTER_IERRORS, 1);
 				DPRINTF("invalid ethernet size "
 				    "%u > %u\n",
@@ -898,6 +898,7 @@ urndis_bulk_read_callback(struct usb_xfe
 
 			/* check if we have a buffer */
 			if (m != NULL) {
+				m->m_len = m->m_pkthdr.len = msg.rm_datalen + ETHER_ALIGN;
 				m_adj(m, ETHER_ALIGN);
 
 				usbd_copy_out(pc, offset + msg.rm_dataoffset +

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201511061254.tA6CsR3q007971>