The branch releng/12.3 has been updated by emaste: URL: https://cgit.FreeBSD.org/src/commit/?id=9c55c1cf567c598b0bbb2e996d09ca0b44ba88f5
commit 9c55c1cf567c598b0bbb2e996d09ca0b44ba88f5 Author: Mark Johnston <[email protected]> AuthorDate: 2022-04-05 23:20:50 +0000 Commit: Ed Maste <[email protected]> CommitDate: 2022-04-05 23:28:58 +0000 bhyve: validate e82545 checksum offset field Reported by: Mehdi Talbi, Synacktiv (cherry picked from commit b0aa20bec5db244980a0248e24dd6b8e1e68c4d0) (cherry picked from commit 53f72209479885dfa6a7e6ed68cbc82c68464f4b) (cherry picked from commit 1da62e16e4a2270c85db1f507cc3025c5e0d9fdd) Approved by: so Security: CVE-2022-23087 Security: FreeBSD-SA-22:05.bhyve --- usr.sbin/bhyve/pci_e82545.c | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/usr.sbin/bhyve/pci_e82545.c b/usr.sbin/bhyve/pci_e82545.c index c6ca5882a535..2a1e54d89c59 100644 --- a/usr.sbin/bhyve/pci_e82545.c +++ b/usr.sbin/bhyve/pci_e82545.c @@ -1275,9 +1275,7 @@ e82545_transmit(struct e82545_softc *sc, uint16_t head, uint16_t tail, goto done; } if (sc->esc_txctx.cmd_and_length & E1000_TXD_CMD_TCP) { - if (hdrlen < ckinfo[1].ck_start + 14 || - (ckinfo[1].ck_valid && - hdrlen < ckinfo[1].ck_off + 2)) { + if (hdrlen < ckinfo[1].ck_start + 14) { WPRINTF("TSO hdrlen too small for TCP fields " "(%d) -- dropped", hdrlen); goto done; @@ -1289,6 +1287,11 @@ e82545_transmit(struct e82545_softc *sc, uint16_t head, uint16_t tail, goto done; } } + if (ckinfo[1].ck_valid && hdrlen < ckinfo[1].ck_off + 2) { + WPRINTF("TSO hdrlen too small for TCP/UDP fields " + "(%d) -- dropped", hdrlen); + goto done; + } } /* Allocate, fill and prepend writable header vector. */
