The branch main has been updated by hselasky:
URL:
https://cgit.FreeBSD.org/src/commit/?id=6eb6aeef7e670bddc9cd52aaf32765a9ea85eee3
commit 6eb6aeef7e670bddc9cd52aaf32765a9ea85eee3
Author: Hans Petter Selasky <hsela...@freebsd.org>
AuthorDate: 2022-04-30 09:21:54 +0000
Commit: Hans Petter Selasky <hsela...@freebsd.org>
CommitDate: 2022-04-30 09:23:07 +0000
uath(4): Fix incorrect byte-swapping and a buffer length check.
PR: 263638
Reported by: Jeff Gibbons <jgibb...@protogate.com>
MFC after: 1 week
Sponsored by: NVIDIA Networking
---
sys/dev/usb/wlan/if_uath.c | 7 +++----
1 file changed, 3 insertions(+), 4 deletions(-)
diff --git a/sys/dev/usb/wlan/if_uath.c b/sys/dev/usb/wlan/if_uath.c
index df7e1d7c396f..4ffdc9a72fad 100644
--- a/sys/dev/usb/wlan/if_uath.c
+++ b/sys/dev/usb/wlan/if_uath.c
@@ -2244,7 +2244,7 @@ uath_cmdeof(struct uath_softc *sc, struct uath_cmd *cmd)
u_int olen;
if (sizeof(*hdr) > hdr->len ||
- hdr->len >= UATH_MAX_CMDSZ) {
+ hdr->len > UATH_MAX_CMDSZ) {
device_printf(sc->sc_dev,
"%s: invalid WDC msg length %u; "
"msg ignored\n", __func__, hdr->len);
@@ -2360,11 +2360,10 @@ uath_intr_rx_callback(struct usb_xfer *xfer,
usb_error_t error)
usbd_copy_out(pc, 0, cmd->buf, actlen);
hdr = (struct uath_cmd_hdr *)cmd->buf;
- hdr->len = be32toh(hdr->len);
- if (hdr->len > (uint32_t)actlen) {
+ if (be32toh(hdr->len) > (uint32_t)actlen) {
device_printf(sc->sc_dev,
"%s: truncated xfer (len %u, actlen %d)\n",
- __func__, hdr->len, actlen);
+ __func__, be32toh(hdr->len), actlen);
goto setup;
}
