diff options
author | dg <dg@FreeBSD.org> | 1995-07-28 12:15:16 +0000 |
---|---|---|
committer | dg <dg@FreeBSD.org> | 1995-07-28 12:15:16 +0000 |
commit | ca0ba93fd506268ff00752471bdc2f07719d92cf (patch) | |
tree | d07f5ee015341959769adfb3e73ee06f2eb9cb08 /sys/dev/ed | |
parent | a9ef3872d1cb967c46f64fae52628d475d8bbd39 (diff) | |
download | FreeBSD-src-ca0ba93fd506268ff00752471bdc2f07719d92cf.zip FreeBSD-src-ca0ba93fd506268ff00752471bdc2f07719d92cf.tar.gz |
Fixed bug where a bogus packet length could cause a panic if the length
was less than sizeof(struct ed_ring).
Diffstat (limited to 'sys/dev/ed')
-rw-r--r-- | sys/dev/ed/if_ed.c | 8 |
1 files changed, 5 insertions, 3 deletions
diff --git a/sys/dev/ed/if_ed.c b/sys/dev/ed/if_ed.c index af61f38..13f5799 100644 --- a/sys/dev/ed/if_ed.c +++ b/sys/dev/ed/if_ed.c @@ -13,7 +13,7 @@ * the SMC Elite Ultra (8216), the 3Com 3c503, the NE1000 and NE2000, * and a variety of similar clones. * - * $Id: if_ed.c,v 1.73 1995/05/30 08:01:58 rgrimes Exp $ + * $Id: if_ed.c,v 1.74 1995/07/25 22:18:54 bde Exp $ */ #include "ed.h" @@ -1682,7 +1682,8 @@ ed_rint(unit) ed_pio_readmem(sc, packet_ptr, (char *) &packet_hdr, sizeof(packet_hdr)); len = packet_hdr.count; - if (len > ETHER_MAX_LEN+4) { /* len includes 4 byte header */ + if (len > (ETHER_MAX_LEN + sizeof(struct ed_ring)) || + len < (ETHER_HDR_SIZE + sizeof(struct ed_ring))) { /* * Length is a wild value. There's a good chance that * this was caused by the NIC being old and buggy. @@ -1709,7 +1710,8 @@ ed_rint(unit) * the upper layer protocols can then figure out the length from * their own length field(s). */ - if ((len <= MCLBYTES) && + if ((len > sizeof(struct ed_ring)) && + (len <= MCLBYTES) && (packet_hdr.next_packet >= sc->rec_page_start) && (packet_hdr.next_packet < sc->rec_page_stop)) { /* |