From 8dd663c1cb578e5ad309cae4296ab3fe72d4e2c9 Mon Sep 17 00:00:00 2001 From: yongari Date: Mon, 28 Mar 2011 16:58:48 +0000 Subject: Normally fxp(4) does not receive bad frames but promiscuous mode makes controller to receive bad frames and i82557 will also receive bad frames since fxp(4) have to receive VLAN oversized frames. If fxp(4) encounter DMA overrun error, the received frame size would be 0 so the actual frame size after checksum field extraction the length would be negative(-2). Due to signed/unsigned comparison used in driver, frame length check did not work for DMA overrun frames. Correct this by casting it to int. While I'm here explicitly check DMA overrun error and discard the frame regardless of result of received frame length check. Reported by: n_hibma Tested by: n_hibma MFC after: 1 week --- sys/dev/fxp/if_fxp.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'sys/dev/fxp') diff --git a/sys/dev/fxp/if_fxp.c b/sys/dev/fxp/if_fxp.c index fc22a96..70d863c 100644 --- a/sys/dev/fxp/if_fxp.c +++ b/sys/dev/fxp/if_fxp.c @@ -1941,11 +1941,11 @@ fxp_intr_body(struct fxp_softc *sc, struct ifnet *ifp, uint8_t statack, /* Adjust for appended checksum bytes. */ total_len -= 2; } - if (total_len < sizeof(struct ether_header) || + if (total_len < (int)sizeof(struct ether_header) || total_len > (MCLBYTES - RFA_ALIGNMENT_FUDGE - sc->rfa_size) || status & (FXP_RFA_STATUS_CRC | - FXP_RFA_STATUS_ALIGN)) { + FXP_RFA_STATUS_ALIGN | FXP_RFA_STATUS_OVERRUN)) { m_freem(m); fxp_add_rfabuf(sc, rxp); continue; -- cgit v1.1