Skip site navigation (1)Skip section navigation (2) 
Date:      Fri, 6 Jun 2014 10:50:15 +0000 (UTC)
From:      Luigi Rizzo <luigi@FreeBSD.org>
To:        src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-head@freebsd.org
Subject:   svn commit: r267151 - head/sys/dev/netmap
Message-ID:  <201406061050.s56AoFfH061843@svn.freebsd.org>
next in thread | raw e-mail | index | archive | help 
Author: luigi
Date: Fri Jun  6 10:50:14 2014
New Revision: 267151
URL: http://svnweb.freebsd.org/changeset/base/267151

Log:
  add checks for invalid buffer pointers and lengths

Modified:
  head/sys/dev/netmap/netmap_vale.c

Modified: head/sys/dev/netmap/netmap_vale.c
==============================================================================
--- head/sys/dev/netmap/netmap_vale.c	Fri Jun  6 10:40:20 2014	(r267150)
+++ head/sys/dev/netmap/netmap_vale.c	Fri Jun  6 10:50:14 2014	(r267151)
@@ -959,6 +959,14 @@ nm_bdg_preflush(struct netmap_vp_adapter
 		ft[ft_i].ft_next = NM_FT_NULL;
 		buf = ft[ft_i].ft_buf = (slot->flags & NS_INDIRECT) ?
 			(void *)(uintptr_t)slot->ptr : BDG_NMB(&na->up, slot);
+		if (unlikely(buf == NULL)) {
+			RD(5, "NULL %s buffer pointer from %s slot %d len %d",
+				(slot->flags & NS_INDIRECT) ? "INDIRECT" : "DIRECT",
+				kring->name, j, ft[ft_i].ft_len);
+			buf = ft[ft_i].ft_buf = NMB_VA(0); /* the 'null' buffer */
+			ft[ft_i].ft_len = 0;
+			ft[ft_i].ft_flags = 0;
+		}
 		__builtin_prefetch(buf);
 		++ft_i;
 		if (slot->flags & NS_MOREFRAG) {
@@ -1312,6 +1320,7 @@ nm_bdg_flush(struct nm_bdg_fwd *ft, u_in
 		needed = d->bq_len + brddst->bq_len;
 
 		if (unlikely(dst_na->virt_hdr_len != na->virt_hdr_len)) {
+			RD(3, "virt_hdr_mismatch, src %d len %d", na->virt_hdr_len, dst_na->virt_hdr_len);
 			/* There is a virtio-net header/offloadings mismatch between
 			 * source and destination. The slower mismatch datapath will
 			 * be used to cope with all the mismatches.
@@ -1412,6 +1421,11 @@ retry:
 					/* round to a multiple of 64 */
 					copy_len = (copy_len + 63) & ~63;
 
+					if (unlikely(copy_len > NETMAP_BUF_SIZE ||
+							copy_len > NETMAP_BUF_SIZE)) {
+						RD(5, "invalid len %d, down to 64", (int)copy_len);
+						copy_len = dst_len = 64; // XXX
+					}
 					if (ft_p->ft_flags & NS_INDIRECT) {
 						if (copyin(src, dst, copy_len)) {
 							// invalid user pointer, pretend len is 0

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201406061050.s56AoFfH061843>