FreeBSD Mail Archives

Date:      Wed, 6 Apr 2022 03:04:47 GMT
From:      Ed Maste <emaste@FreeBSD.org>
To:        src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-branches@FreeBSD.org
Subject:   git: 9c55c1cf567c - releng/12.3 - bhyve: validate e82545 checksum offset field
Message-ID:  <202204060304.23634l3B035153@gitrepo.freebsd.org>

next in thread | raw e-mail | index | archive | help

The branch releng/12.3 has been updated by emaste:

URL: https://cgit.FreeBSD.org/src/commit/?id=9c55c1cf567c598b0bbb2e996d09ca0b44ba88f5

commit 9c55c1cf567c598b0bbb2e996d09ca0b44ba88f5
Author:     Mark Johnston <markj@FreeBSD.org>
AuthorDate: 2022-04-05 23:20:50 +0000
Commit:     Ed Maste <emaste@FreeBSD.org>
CommitDate: 2022-04-05 23:28:58 +0000

    bhyve: validate e82545 checksum offset field
    
    Reported by:    Mehdi Talbi, Synacktiv
    
    (cherry picked from commit b0aa20bec5db244980a0248e24dd6b8e1e68c4d0)
    (cherry picked from commit 53f72209479885dfa6a7e6ed68cbc82c68464f4b)
    (cherry picked from commit 1da62e16e4a2270c85db1f507cc3025c5e0d9fdd)
    
    Approved by:    so
    Security:       CVE-2022-23087
    Security:       FreeBSD-SA-22:05.bhyve
---
 usr.sbin/bhyve/pci_e82545.c | 9 ++++++---
 1 file changed, 6 insertions(+), 3 deletions(-)

diff --git a/usr.sbin/bhyve/pci_e82545.c b/usr.sbin/bhyve/pci_e82545.c
index c6ca5882a535..2a1e54d89c59 100644
--- a/usr.sbin/bhyve/pci_e82545.c
+++ b/usr.sbin/bhyve/pci_e82545.c
@@ -1275,9 +1275,7 @@ e82545_transmit(struct e82545_softc *sc, uint16_t head, uint16_t tail,
 			goto done;
 		}
 		if (sc->esc_txctx.cmd_and_length & E1000_TXD_CMD_TCP) {
-			if (hdrlen < ckinfo[1].ck_start + 14 ||
-			    (ckinfo[1].ck_valid &&
-			    hdrlen < ckinfo[1].ck_off + 2)) {
+			if (hdrlen < ckinfo[1].ck_start + 14) {
 				WPRINTF("TSO hdrlen too small for TCP fields "
 				    "(%d) -- dropped", hdrlen);
 				goto done;
@@ -1289,6 +1287,11 @@ e82545_transmit(struct e82545_softc *sc, uint16_t head, uint16_t tail,
 				goto done;
 			}
 		}
+		if (ckinfo[1].ck_valid && hdrlen < ckinfo[1].ck_off + 2) {
+			WPRINTF("TSO hdrlen too small for TCP/UDP fields "
+			    "(%d) -- dropped", hdrlen);
+			goto done;
+		}
 	}
 
 	/* Allocate, fill and prepend writable header vector. */

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?202204060304.23634l3B035153>

Header And Logo

Peripheral Links

Site Navigation

Header And Logo

Peripheral Links

Search

Site Navigation