- Use 'uint32_t' to save be32toh(9) result.
- Drop too short payload (to prevent 'chunklen' underflow).
- Recheck Rx descriptor fields to prevent buffer over-read.
Details
Details
Untested.
Diff Detail
Diff Detail
- Repository
- rS FreeBSD src repository - subversion
- Lint
Lint Skipped - Unit
Tests Skipped
Event Timeline
sys/dev/usb/wlan/if_uath.c | ||
---|---|---|
2224 | If hdr->len comes from HW, please verify that value is valid! | |
2230 | Missing upper range check? | |
2499 | chunklen should also be checked against actlen ??? | |
2572 | Are the offsets and payloads within the USB buffer and below actlen ? | |
2601 | Missing upper and lower checks for desc->framelen ! |
sys/dev/usb/wlan/if_uath.c | ||
---|---|---|
2224 | Done in uath_intr_rx_callback() |
Comment Actions
- Add more 'framelen' variable checks.
- Check hdr->len before using it to calculate dlen.
sys/dev/usb/wlan/if_uath.c | ||
---|---|---|
2248 | Can you invert this code? It makes it more clear: !(a && b) == ((!a) || (!b)) if (hdr->len < sizeof(*hdr) || hdr->len >= UATH_MAX_CMDSZ) | |
2357 | if (hdr->len > (uint32_t)actlen) | |
2615 | Add this check first? Or is it redundant? cast: actlen - sizeof(struct uath_chunk) to uint32_t: framelen > (uint32_t)(actlen - sizeof(struct uath_chunk)) |
sys/dev/usb/wlan/if_uath.c | ||
---|---|---|
2615 | Already checked at the top of the function ('if (actlen < (int)UATH_MIN_RXBUFSZ)') |