Author: adrian Date: Sat Oct 3 15:52:58 2015 New Revision: 288605 URL: https://svnweb.freebsd.org/changeset/base/288605
Log: rum(4): check mbuf size before accessing its contents Submitted by: <[email protected]> Differential Revision: https://reviews.freebsd.org/D3610 Modified: head/sys/dev/usb/wlan/if_rum.c Modified: head/sys/dev/usb/wlan/if_rum.c ============================================================================== --- head/sys/dev/usb/wlan/if_rum.c Sat Oct 3 15:49:55 2015 (r288604) +++ head/sys/dev/usb/wlan/if_rum.c Sat Oct 3 15:52:58 2015 (r288605) @@ -912,6 +912,7 @@ rum_bulk_read_callback(struct usb_xfer * { struct rum_softc *sc = usbd_xfer_softc(xfer); struct ieee80211com *ic = &sc->sc_ic; + struct ieee80211_frame_min *wh; struct ieee80211_node *ni; struct mbuf *m = NULL; struct usb_page_cache *pc; @@ -959,6 +960,8 @@ rum_bulk_read_callback(struct usb_xfer * usbd_copy_out(pc, RT2573_RX_DESC_SIZE, mtod(m, uint8_t *), len); + wh = mtod(m, struct ieee80211_frame_min *); + /* finalize mbuf */ m->m_pkthdr.len = m->m_len = (flags >> 16) & 0xfff; @@ -987,8 +990,11 @@ tr_setup: */ RUM_UNLOCK(sc); if (m) { - ni = ieee80211_find_rxnode(ic, - mtod(m, struct ieee80211_frame_min *)); + if (m->m_len >= sizeof(struct ieee80211_frame_min)) + ni = ieee80211_find_rxnode(ic, wh); + else + ni = NULL; + if (ni != NULL) { (void) ieee80211_input(ni, m, rssi, RT2573_NOISE_FLOOR); _______________________________________________ [email protected] mailing list https://lists.freebsd.org/mailman/listinfo/svn-src-all To unsubscribe, send any mail to "[email protected]"
