From 1f5f8963a7d14279a7b4b058e3aaf444179d627c Mon Sep 17 00:00:00 2001
From: Gordon Tetlow <gordon@FreeBSD.org>
Date: Tue, 15 Sep 2020 21:42:05 +0000
Subject: [PATCH] Fix ure device driver susceptible to packet-in-packet attack.

Approved by:	so
Approved by:	re (implicit for releng/12.2)
Security:	FreeBSD-SA-20:27.ure
Security:	CVE-2020-7464
---
 sys/dev/usb/net/if_ure.c | 7 ++++---
 1 file changed, 4 insertions(+), 3 deletions(-)

diff --git a/sys/dev/usb/net/if_ure.c b/sys/dev/usb/net/if_ure.c
index 24ce36b64a6..c6284b423d5 100644
--- a/sys/dev/usb/net/if_ure.c
+++ b/sys/dev/usb/net/if_ure.c
@@ -784,9 +784,10 @@ ure_rxfilter(struct usb_ether *ue)
 
 	URE_LOCK_ASSERT(sc, MA_OWNED);
 
-	rxmode = URE_RCR_APM;
-	if (ifp->if_flags & IFF_BROADCAST)
-		 rxmode |= URE_RCR_AB;
+	rxmode = ure_read_4(sc, URE_PLA_RCR, URE_MCU_TYPE_PLA);
+	rxmode &= ~(URE_RCR_AAP | URE_RCR_AM);
+	rxmode |= URE_RCR_APM;	/* accept physical match packets */
+	rxmode |= URE_RCR_AB;	/* always accept broadcasts */
 	if (ifp->if_flags & (IFF_ALLMULTI | IFF_PROMISC)) {
 		if (ifp->if_flags & IFF_PROMISC)
 			rxmode |= URE_RCR_AAP;
-- 
2.45.0