Fix for unaligned IP-header.

The mbuf length fields must be set before m_adj() is called else m_adj() will not always adjust the mbuf and an unaligned read exception can trigger inside the network stack. This can happen on platforms where unaligned reads are not supported. Adjust a length check to include the 2-byte ethernet alignment while at it. MFC after: 3 days
2015-11-06 12:54:27 +00:00 · 2015-11-06 12:54:27 +00:00 · a51f980180
commit a51f980180
parent 72c33534b2
2 changed files with 3 additions and 1 deletions
--- a/sys/dev/usb/net/if_cdce.c
+++ b/sys/dev/usb/net/if_cdce.c
@ -1535,6 +1535,7 @@ cdce_ncm_bulk_read_callback(struct usb_xfer *xfer, usb_error_t error)

 			/* check if we have a buffer */
 			if (m) {
+				m->m_len = m->m_pkthdr.len = temp + ETHER_ALIGN;
 				m_adj(m, ETHER_ALIGN);

 				usbd_copy_out(pc, offset, m->m_data, temp);
--- a/sys/dev/usb/net/if_urndis.c
+++ b/sys/dev/usb/net/if_urndis.c
@ -884,7 +884,7 @@ urndis_bulk_read_callback(struct usb_xfer *xfer, usb_error_t error)
 				DPRINTF("invalid ethernet size "
 				    "%u < %u\n", msg.rm_datalen, (unsigned)sizeof(struct ether_header));
 				goto tr_setup;
-			} else if (msg.rm_datalen > (uint32_t)MCLBYTES) {
+			} else if (msg.rm_datalen > (uint32_t)(MCLBYTES - ETHER_ALIGN)) {
 				if_inc_counter(ifp, IFCOUNTER_IERRORS, 1);
 				DPRINTF("invalid ethernet size "
 				    "%u > %u\n",
@ -898,6 +898,7 @@ urndis_bulk_read_callback(struct usb_xfer *xfer, usb_error_t error)

 			/* check if we have a buffer */
 			if (m != NULL) {
+				m->m_len = m->m_pkthdr.len = msg.rm_datalen + ETHER_ALIGN;
 				m_adj(m, ETHER_ALIGN);

 				usbd_copy_out(pc, offset + msg.rm_dataoffset +