CyberLeo.Net >> Repos - FreeBSD/FreeBSD.git/commit

author	John Baldwin <jhb@FreeBSD.org>
	Wed, 17 Aug 2022 17:01:16 +0000 (10:01 -0700)
committer	John Baldwin <jhb@FreeBSD.org>
	Wed, 17 Aug 2022 17:01:16 +0000 (10:01 -0700)
commit	fa46f3704b7618f9d9493c126df781faf59040a8
tree	5a8667b326346d0b585912b71ee2eae17d560639	tree \| snapshot
parent	e7439f6aeb235ba3a7e79818c56a63d066c80854	commit \| diff

bhyve e1000: Skip packets with a small header.

Certain operations such as checksum insertion and VLAN insertion
require the device model to rewrite the packet header.  The first step
in rewriting the packet header is to copy the existing packet header
from the source packet.  This copy is done by copying data from an
iovec array that corresponds to the S/G entries described by transmit
descriptors.  However, if the total packet length is smaller than the
headers that need to be copied as the initial template, this copy can
overflow the iovec array and use garbage values as the source pointer
to memcpy.  The PR used a single descriptor with a length of 0 in its
PoC.

To fix, track the total packet length and drop requests to transmit
packets whose payload is smaller than the required header length.

While here, fix another issue where the final descriptor could have an
invalid length (too short) that could underflow 'len' when stripping
the checksum.  Skip those requests instead, too.

PR: 264372
Reported by: Robert Morris <rtm@lcs.mit.edu>
Reviewed by: grehan, markj
MFC after: 1 week
Sponsored by: The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D36182