CVS commit: src/sys/dev/usb

Fri, 12 Aug 2022 04:25:52 -0700 

Module Name:    src
Committed By:   riastradh
Date:           Fri Aug 12 11:25:46 UTC 2022

Modified Files:
        src/sys/dev/usb: usbnet.c

Log Message:
usbnet(9): Fix mbuf alignment and narrow bounds check.

In usbnet.c rev. 1.16, usbnet_newbuf was first passed a buffer length
to verify it fits within MCLBYTES.  It also changed m_adj to go
before, not after, setting m_len and m_pkthdr.len -- which had the
effect of making the m_adj a no-op, because after MGETHDR the mbuf
has zero length and m_adj stops at the length of the mbuf, so nothing
was aligned as intended.

To make this aligned as intended, we require the buffer length to be
_below_ MCLBYTES, by ETHER_ALIGN, so there's room for the ethernet
header in a maximum-length payload.  Once we do that, it is safe to
initialize m_len = m_pkthdr.len = ETHER_ALIGN + buflen, which is
below the actual size of the mbuf (MHLEN or MCLBYTES, depending), and
_then_ do m_adj to align the pointer.


To generate a diff of this commit:
cvs rdiff -u -r1.95 -r1.96 src/sys/dev/usb/usbnet.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.


Modified files:

Index: src/sys/dev/usb/usbnet.c
diff -u src/sys/dev/usb/usbnet.c:1.95 src/sys/dev/usb/usbnet.c:1.96
--- src/sys/dev/usb/usbnet.c:1.95	Sun Aug  7 23:49:30 2022
+++ src/sys/dev/usb/usbnet.c	Fri Aug 12 11:25:45 2022
@@ -1,4 +1,4 @@
-/*	$NetBSD: usbnet.c,v 1.95 2022/08/07 23:49:30 riastradh Exp $	*/
+/*	$NetBSD: usbnet.c,v 1.96 2022/08/12 11:25:45 riastradh Exp $	*/
 
 /*
  * Copyright (c) 2019 Matthew R. Green
@@ -31,7 +31,7 @@
  */
 
 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: usbnet.c,v 1.95 2022/08/07 23:49:30 riastradh Exp $");
+__KERNEL_RCSID(0, "$NetBSD: usbnet.c,v 1.96 2022/08/12 11:25:45 riastradh Exp $");
 
 #include <sys/param.h>
 #include <sys/kernel.h>
@@ -263,7 +263,7 @@ usbnet_newbuf(size_t buflen)
 {
 	struct mbuf *m;
 
-	if (buflen > MCLBYTES)
+	if (buflen > MCLBYTES - ETHER_ALIGN)
 		return NULL;
 
 	MGETHDR(m, M_DONTWAIT, MT_DATA);
@@ -278,8 +278,8 @@ usbnet_newbuf(size_t buflen)
 		}
 	}
 
+	m->m_len = m->m_pkthdr.len = ETHER_ALIGN + buflen;
 	m_adj(m, ETHER_ALIGN);
-	m->m_len = m->m_pkthdr.len = buflen;
 
 	return m;
 }

Reply via email to