[Bug 263824] genet(4): Driver interface may overwrite memory in a consecutive memory copy operations when parsing TX packet

Go to: [ bottom of page ] [ top of archives ] [ this month ]

From: <bugzilla-noreply_at_freebsd.org>
Date: Mon, 09 May 2022 13:46:48 UTC

https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=263824

--- Comment #5 from commit-hook@FreeBSD.org ---
A commit in branch main references this bug:

URL:
https://cgit.FreeBSD.org/src/commit/?id=1de9aa4d4f7938f36e6485dad817908a6e45bb32

commit 1de9aa4d4f7938f36e6485dad817908a6e45bb32
Author:     Mike Karels <karels@FreeBSD.org>
AuthorDate: 2022-05-09 12:19:52 +0000
Commit:     Mike Karels <karels@FreeBSD.org>
CommitDate: 2022-05-09 13:46:06 +0000

    genet: fix output packet corruption in uncommon case

    The code for the "shift" block in the COPY macro set the pointer for
    the next copy block to the wrong value.  In this case, the link-layer
    header would be overwritten by the network-layer header.  This case is
    difficult or impossible to exercise in the current driver without
    changing the value of the hw.genet.tx_hdr_min sysctl.  Correct the
    pointer.  While here, remove a line in the macro that was marked
    "unneeded", which was actually wrong.

    PR:             263824
    Submitted by:   jiahali@blackberry.com
    MFC after:      2 weeks

 sys/arm64/broadcom/genet/if_genet.c | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

-- 
You are receiving this mail because:
You are on the CC list for the bug.