Patch the WaveLAN/IEEE driver to detect and reject oversized received

frames (or just insane received packet lengths generated due to errors
reading from the NIC's internal buffers). Anything too large to fit
safely into an mbuf cluster buffer is discarded and an error logged.

I have not observed this problem with my own cards, but on user has
reported it and adding the sanity test seems reasonable in any case.

Problem noted and patch provided by: Per Andersson <per@cdg.chalmers.se>
This commit is contained in:
Bill Paul 1999-07-04 14:40:22 +00:00
parent 4b861c74b9
commit f30fba37d7
2 changed files with 38 additions and 4 deletions

View File

@ -29,7 +29,7 @@
* ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF
* THE POSSIBILITY OF SUCH DAMAGE.
*
* $Id: if_wi.c,v 1.55 1999/06/06 16:41:44 wpaul Exp $
* $Id: if_wi.c,v 1.56 1999/07/04 14:35:23 wpaul Exp $
*/
/*
@ -116,7 +116,7 @@
#if !defined(lint)
static const char rcsid[] =
"$Id: if_wi.c,v 1.55 1999/06/06 16:41:44 wpaul Exp $";
"$Id: if_wi.c,v 1.56 1999/07/04 14:35:23 wpaul Exp $";
#endif
static struct wi_softc wi_softc[NWI];
@ -415,6 +415,14 @@ static void wi_rxeof(sc)
if (rx_frame.wi_status == WI_STAT_1042 ||
rx_frame.wi_status == WI_STAT_TUNNEL ||
rx_frame.wi_status == WI_STAT_WMP_MSG) {
if((rx_frame.wi_dat_len + WI_SNAPHDR_LEN) > MCLBYTES) {
printf("wi%d: oversized packet received "
"(wi_dat_len=%d, wi_status=0x%x)\n", sc->wi_unit,
rx_frame.wi_dat_len, rx_frame.wi_status);
m_freem(m);
ifp->if_ierrors++;
return;
}
m->m_pkthdr.len = m->m_len =
rx_frame.wi_dat_len + WI_SNAPHDR_LEN;
@ -433,6 +441,15 @@ static void wi_rxeof(sc)
return;
}
} else {
if((rx_frame.wi_dat_len +
sizeof(struct ether_header)) > MCLBYTES) {
printf("wi%d: oversized packet received "
"(wi_dat_len=%d, wi_status=0x%x)\n", sc->wi_unit,
rx_frame.wi_dat_len, rx_frame.wi_status);
m_freem(m);
ifp->if_ierrors++;
return;
}
m->m_pkthdr.len = m->m_len =
rx_frame.wi_dat_len + sizeof(struct ether_header);

View File

@ -29,7 +29,7 @@
* ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF
* THE POSSIBILITY OF SUCH DAMAGE.
*
* $Id: if_wi.c,v 1.55 1999/06/06 16:41:44 wpaul Exp $
* $Id: if_wi.c,v 1.56 1999/07/04 14:35:23 wpaul Exp $
*/
/*
@ -116,7 +116,7 @@
#if !defined(lint)
static const char rcsid[] =
"$Id: if_wi.c,v 1.55 1999/06/06 16:41:44 wpaul Exp $";
"$Id: if_wi.c,v 1.56 1999/07/04 14:35:23 wpaul Exp $";
#endif
static struct wi_softc wi_softc[NWI];
@ -415,6 +415,14 @@ static void wi_rxeof(sc)
if (rx_frame.wi_status == WI_STAT_1042 ||
rx_frame.wi_status == WI_STAT_TUNNEL ||
rx_frame.wi_status == WI_STAT_WMP_MSG) {
if((rx_frame.wi_dat_len + WI_SNAPHDR_LEN) > MCLBYTES) {
printf("wi%d: oversized packet received "
"(wi_dat_len=%d, wi_status=0x%x)\n", sc->wi_unit,
rx_frame.wi_dat_len, rx_frame.wi_status);
m_freem(m);
ifp->if_ierrors++;
return;
}
m->m_pkthdr.len = m->m_len =
rx_frame.wi_dat_len + WI_SNAPHDR_LEN;
@ -433,6 +441,15 @@ static void wi_rxeof(sc)
return;
}
} else {
if((rx_frame.wi_dat_len +
sizeof(struct ether_header)) > MCLBYTES) {
printf("wi%d: oversized packet received "
"(wi_dat_len=%d, wi_status=0x%x)\n", sc->wi_unit,
rx_frame.wi_dat_len, rx_frame.wi_status);
m_freem(m);
ifp->if_ierrors++;
return;
}
m->m_pkthdr.len = m->m_len =
rx_frame.wi_dat_len + sizeof(struct ether_header);