From owner-svn-src-head@freebsd.org  Tue Sep  6 06:41:00 2016
Return-Path: <owner-svn-src-head@freebsd.org>
Delivered-To: svn-src-head@mailman.ysv.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org
 [IPv6:2001:1900:2254:206a::19:1])
 by mailman.ysv.freebsd.org (Postfix) with ESMTP id E750FBA960F;
 Tue,  6 Sep 2016 06:41:00 +0000 (UTC)
 (envelope-from avos@FreeBSD.org)
Received: from repo.freebsd.org (repo.freebsd.org
 [IPv6:2610:1c1:1:6068::e6a:0])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (Client did not present a certificate)
 by mx1.freebsd.org (Postfix) with ESMTPS id A06DE86F;
 Tue,  6 Sep 2016 06:41:00 +0000 (UTC)
 (envelope-from avos@FreeBSD.org)
Received: from repo.freebsd.org ([127.0.1.37])
 by repo.freebsd.org (8.15.2/8.15.2) with ESMTP id u866exJK095619;
 Tue, 6 Sep 2016 06:40:59 GMT (envelope-from avos@FreeBSD.org)
Received: (from avos@localhost)
 by repo.freebsd.org (8.15.2/8.15.2/Submit) id u866exUK095618;
 Tue, 6 Sep 2016 06:40:59 GMT (envelope-from avos@FreeBSD.org)
Message-Id: <201609060640.u866exUK095618@repo.freebsd.org>
X-Authentication-Warning: repo.freebsd.org: avos set sender to
 avos@FreeBSD.org using -f
From: Andriy Voskoboinyk <avos@FreeBSD.org>
Date: Tue, 6 Sep 2016 06:40:59 +0000 (UTC)
To: src-committers@freebsd.org, svn-src-all@freebsd.org,
 svn-src-head@freebsd.org
Subject: svn commit: r305465 - head/sys/dev/usb/wlan
X-SVN-Group: head
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
X-BeenThere: svn-src-head@freebsd.org
X-Mailman-Version: 2.1.23
Precedence: list
List-Id: SVN commit messages for the src tree for head/-current
 <svn-src-head.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/svn-src-head>,
 <mailto:svn-src-head-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/svn-src-head/>
List-Post: <mailto:svn-src-head@freebsd.org>
List-Help: <mailto:svn-src-head-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/svn-src-head>,
 <mailto:svn-src-head-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Tue, 06 Sep 2016 06:41:01 -0000

Author: avos
Date: Tue Sep  6 06:40:59 2016
New Revision: 305465
URL: https://svnweb.freebsd.org/changeset/base/305465

Log:
  rum: fix frame length checks in Rx path.
  
  Split usbd_xfer_status() check:
  - Check xfer length: must be longer, than Rx descriptor size.
  - Check frame size: must be shorter than xfer length.
  - Discard too short frames.
  
  Tested with WUSB54GC, STA/MONITOR modes.

Modified:
  head/sys/dev/usb/wlan/if_rum.c

Modified: head/sys/dev/usb/wlan/if_rum.c
==============================================================================
--- head/sys/dev/usb/wlan/if_rum.c	Tue Sep  6 06:26:24 2016	(r305464)
+++ head/sys/dev/usb/wlan/if_rum.c	Tue Sep  6 06:40:59 2016	(r305465)
@@ -1151,7 +1151,7 @@ rum_bulk_read_callback(struct usb_xfer *
 
 		DPRINTFN(15, "rx done, actlen=%d\n", len);
 
-		if (len < (int)(RT2573_RX_DESC_SIZE + IEEE80211_MIN_LEN)) {
+		if (len < RT2573_RX_DESC_SIZE) {
 			DPRINTF("%s: xfer too short %d\n",
 			    device_get_nameunit(sc->sc_dev), len);
 			counter_u64_add(ic->ic_ierrors, 1);
@@ -1165,6 +1165,20 @@ rum_bulk_read_callback(struct usb_xfer *
 		rssi = rum_get_rssi(sc, sc->sc_rx_desc.rssi);
 		flags = le32toh(sc->sc_rx_desc.flags);
 		sc->last_rx_flags = flags;
+		if (len < ((flags >> 16) & 0xfff)) {
+			DPRINTFN(5, "%s: frame is truncated from %d to %d "
+			    "bytes\n", device_get_nameunit(sc->sc_dev),
+			    (flags >> 16) & 0xfff, len);
+			counter_u64_add(ic->ic_ierrors, 1);
+			goto tr_setup;
+		}
+		len = (flags >> 16) & 0xfff;
+		if (len < sizeof(struct ieee80211_frame_ack)) {
+			DPRINTFN(5, "%s: frame too short %d\n",
+			    device_get_nameunit(sc->sc_dev), len);
+			counter_u64_add(ic->ic_ierrors, 1);
+			goto tr_setup;
+		}
 		if (flags & RT2573_RX_CRC_ERROR) {
 			/*
 		         * This should not happen since we did not
@@ -1210,7 +1224,7 @@ rum_bulk_read_callback(struct usb_xfer *
 		}
 
 		/* finalize mbuf */
-		m->m_pkthdr.len = m->m_len = (flags >> 16) & 0xfff;
+		m->m_pkthdr.len = m->m_len = len;
 
 		if (ieee80211_radiotap_active(ic)) {
 			struct rum_rx_radiotap_header *tap = &sc->sc_rxtap;