From 863d2b17b8f04e47ea8d5d8b2eea01be65fc20a2 Mon Sep 17 00:00:00 2001 From: gordon Date: Wed, 5 Aug 2020 17:11:18 +0000 Subject: [PATCH] Fix memory corruption in USB network device drivers. Approved by: so Security: FreeBSD-SA-20:21.usb_net Security: CVE-2020-7459 --- sys/dev/usb/net/if_smsc.c | 13 +++++++++++-- 1 file changed, 11 insertions(+), 2 deletions(-) diff --git a/sys/dev/usb/net/if_smsc.c b/sys/dev/usb/net/if_smsc.c index 1b4c2e35374..07896877c1c 100644 --- a/sys/dev/usb/net/if_smsc.c +++ b/sys/dev/usb/net/if_smsc.c @@ -970,7 +970,7 @@ smsc_bulk_read_callback(struct usb_xfer *xfer, usb_error_t error) struct mbuf *m; struct usb_page_cache *pc; uint32_t rxhdr; - uint16_t pktlen; + int pktlen; int off; int actlen; @@ -996,6 +996,9 @@ smsc_bulk_read_callback(struct usb_xfer *xfer, usb_error_t error) /* The frame header is always aligned on a 4 byte boundary */ off = ((off + 0x3) & ~0x3); + if ((off + sizeof(rxhdr)) > actlen) + goto tr_setup; + usbd_copy_out(pc, off, &rxhdr, sizeof(rxhdr)); off += (sizeof(rxhdr) + ETHER_ALIGN); rxhdr = le32toh(rxhdr); @@ -1024,7 +1027,13 @@ smsc_bulk_read_callback(struct usb_xfer *xfer, usb_error_t error) if_inc_counter(ifp, IFCOUNTER_IQDROPS, 1); goto tr_setup; } - + if (pktlen > m->m_len) { + smsc_dbg_printf(sc, "buffer too small %d vs %d bytes", + pktlen, m->m_len); + if_inc_counter(ifp, IFCOUNTER_IQDROPS, 1); + m_freem(m); + goto tr_setup; + } usbd_copy_out(pc, off, mtod(m, uint8_t *), pktlen); /* Check if RX TCP/UDP checksumming is being offloaded */ -- 2.45.0