git: b85c68857da3 - releng/13.0 - bhyve: validate e82545 checksum offset field
- Go to: [ bottom of page ] [ top of archives ] [ this month ]
Date: Wed, 06 Apr 2022 03:04:14 UTC
The branch releng/13.0 has been updated by emaste:
URL: https://cgit.FreeBSD.org/src/commit/?id=b85c68857da3fdd833c4c146e2f5f49f4c16b0d7
commit b85c68857da3fdd833c4c146e2f5f49f4c16b0d7
Author: Mark Johnston <markj@FreeBSD.org>
AuthorDate: 2022-04-05 23:26:02 +0000
Commit: Ed Maste <emaste@FreeBSD.org>
CommitDate: 2022-04-05 23:26:02 +0000
bhyve: validate e82545 checksum offset field
Reported by: Mehdi Talbi, Synacktiv
(cherry picked from commit b0aa20bec5db244980a0248e24dd6b8e1e68c4d0)
(cherry picked from commit 53f72209479885dfa6a7e6ed68cbc82c68464f4b)
Approved by: so
Security: CVE-2022-23087
Security: FreeBSD-SA-22:05.bhyve
---
usr.sbin/bhyve/pci_e82545.c | 9 ++++++---
1 file changed, 6 insertions(+), 3 deletions(-)
diff --git a/usr.sbin/bhyve/pci_e82545.c b/usr.sbin/bhyve/pci_e82545.c
index 2d09c024f258..9581e616c76c 100644
--- a/usr.sbin/bhyve/pci_e82545.c
+++ b/usr.sbin/bhyve/pci_e82545.c
@@ -1277,9 +1277,7 @@ e82545_transmit(struct e82545_softc *sc, uint16_t head, uint16_t tail,
goto done;
}
if (sc->esc_txctx.cmd_and_length & E1000_TXD_CMD_TCP) {
- if (hdrlen < ckinfo[1].ck_start + 14 ||
- (ckinfo[1].ck_valid &&
- hdrlen < ckinfo[1].ck_off + 2)) {
+ if (hdrlen < ckinfo[1].ck_start + 14) {
WPRINTF("TSO hdrlen too small for TCP fields "
"(%d) -- dropped", hdrlen);
goto done;
@@ -1291,6 +1289,11 @@ e82545_transmit(struct e82545_softc *sc, uint16_t head, uint16_t tail,
goto done;
}
}
+ if (ckinfo[1].ck_valid && hdrlen < ckinfo[1].ck_off + 2) {
+ WPRINTF("TSO hdrlen too small for TCP/UDP fields "
+ "(%d) -- dropped", hdrlen);
+ goto done;
+ }
}
/* Allocate, fill and prepend writable header vector. */