Skip site navigation (1)Skip section navigation (2) 
Date:      Wed, 6 Apr 2022 01:56:57 GMT
From:      Ed Maste <emaste@FreeBSD.org>
To:        src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-branches@FreeBSD.org
Subject:   git: 5a28d8befda0 - releng/13.1 - bhyve: validate e82545 checksum offset field
Message-ID:  <202204060156.2361uvr5038674@gitrepo.freebsd.org>
next in thread | raw e-mail | index | archive | help 
The branch releng/13.1 has been updated by emaste:

URL: https://cgit.FreeBSD.org/src/commit/?id=5a28d8befda032e52bf8ad160992e3499f5bbdff

commit 5a28d8befda032e52bf8ad160992e3499f5bbdff
Author:     Mark Johnston <markj@FreeBSD.org>
AuthorDate: 2022-04-05 22:51:19 +0000
Commit:     Ed Maste <emaste@FreeBSD.org>
CommitDate: 2022-04-06 01:56:21 +0000

    bhyve: validate e82545 checksum offset field
    
    Reported by:    Mehdi Talbi, Synacktiv
    
    (cherry picked from commit b0aa20bec5db244980a0248e24dd6b8e1e68c4d0)
    (cherry picked from commit 53f72209479885dfa6a7e6ed68cbc82c68464f4b)
    
    Approved by:    so, re (implicit)
---
 usr.sbin/bhyve/pci_e82545.c | 9 ++++++---
 1 file changed, 6 insertions(+), 3 deletions(-)

diff --git a/usr.sbin/bhyve/pci_e82545.c b/usr.sbin/bhyve/pci_e82545.c
index d0b4fb9e466f..76f2839fba31 100644
--- a/usr.sbin/bhyve/pci_e82545.c
+++ b/usr.sbin/bhyve/pci_e82545.c
@@ -1278,9 +1278,7 @@ e82545_transmit(struct e82545_softc *sc, uint16_t head, uint16_t tail,
 			goto done;
 		}
 		if (sc->esc_txctx.cmd_and_length & E1000_TXD_CMD_TCP) {
-			if (hdrlen < ckinfo[1].ck_start + 14 ||
-			    (ckinfo[1].ck_valid &&
-			    hdrlen < ckinfo[1].ck_off + 2)) {
+			if (hdrlen < ckinfo[1].ck_start + 14) {
 				WPRINTF("TSO hdrlen too small for TCP fields "
 				    "(%d) -- dropped", hdrlen);
 				goto done;
@@ -1292,6 +1290,11 @@ e82545_transmit(struct e82545_softc *sc, uint16_t head, uint16_t tail,
 				goto done;
 			}
 		}
+		if (ckinfo[1].ck_valid && hdrlen < ckinfo[1].ck_off + 2) {
+			WPRINTF("TSO hdrlen too small for TCP/UDP fields "
+			    "(%d) -- dropped", hdrlen);
+			goto done;
+		}
 	}
 
 	/* Allocate, fill and prepend writable header vector. */

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?202204060156.2361uvr5038674>