From owner-svn-src-all@FreeBSD.ORG Mon Mar 28 16:58:48 2011 Return-Path: Delivered-To: svn-src-all@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id B5A251065676; Mon, 28 Mar 2011 16:58:48 +0000 (UTC) (envelope-from yongari@FreeBSD.org) Received: from svn.freebsd.org (svn.freebsd.org [IPv6:2001:4f8:fff6::2c]) by mx1.freebsd.org (Postfix) with ESMTP id A68858FC13; Mon, 28 Mar 2011 16:58:48 +0000 (UTC) Received: from svn.freebsd.org (localhost [127.0.0.1]) by svn.freebsd.org (8.14.3/8.14.3) with ESMTP id p2SGwmJR000487; Mon, 28 Mar 2011 16:58:48 GMT (envelope-from yongari@svn.freebsd.org) Received: (from yongari@localhost) by svn.freebsd.org (8.14.3/8.14.3/Submit) id p2SGwmOv000485; Mon, 28 Mar 2011 16:58:48 GMT (envelope-from yongari@svn.freebsd.org) Message-Id: <201103281658.p2SGwmOv000485@svn.freebsd.org> From: Pyun YongHyeon Date: Mon, 28 Mar 2011 16:58:48 +0000 (UTC) To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-head@freebsd.org X-SVN-Group: head MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Cc: Subject: svn commit: r220103 - head/sys/dev/fxp X-BeenThere: svn-src-all@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "SVN commit messages for the entire src tree \(except for " user" and " projects" \)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 28 Mar 2011 16:58:48 -0000 Author: yongari Date: Mon Mar 28 16:58:48 2011 New Revision: 220103 URL: http://svn.freebsd.org/changeset/base/220103 Log: Normally fxp(4) does not receive bad frames but promiscuous mode makes controller to receive bad frames and i82557 will also receive bad frames since fxp(4) have to receive VLAN oversized frames. If fxp(4) encounter DMA overrun error, the received frame size would be 0 so the actual frame size after checksum field extraction the length would be negative(-2). Due to signed/unsigned comparison used in driver, frame length check did not work for DMA overrun frames. Correct this by casting it to int. While I'm here explicitly check DMA overrun error and discard the frame regardless of result of received frame length check. Reported by: n_hibma Tested by: n_hibma MFC after: 1 week Modified: head/sys/dev/fxp/if_fxp.c Modified: head/sys/dev/fxp/if_fxp.c ============================================================================== --- head/sys/dev/fxp/if_fxp.c Mon Mar 28 13:28:23 2011 (r220102) +++ head/sys/dev/fxp/if_fxp.c Mon Mar 28 16:58:48 2011 (r220103) @@ -1941,11 +1941,11 @@ fxp_intr_body(struct fxp_softc *sc, stru /* Adjust for appended checksum bytes. */ total_len -= 2; } - if (total_len < sizeof(struct ether_header) || + if (total_len < (int)sizeof(struct ether_header) || total_len > (MCLBYTES - RFA_ALIGNMENT_FUDGE - sc->rfa_size) || status & (FXP_RFA_STATUS_CRC | - FXP_RFA_STATUS_ALIGN)) { + FXP_RFA_STATUS_ALIGN | FXP_RFA_STATUS_OVERRUN)) { m_freem(m); fxp_add_rfabuf(sc, rxp); continue;