From owner-svn-src-all@FreeBSD.ORG Fri Jun 6 10:50:15 2014 Return-Path: Delivered-To: svn-src-all@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 4D26B6CC; Fri, 6 Jun 2014 10:50:15 +0000 (UTC) Received: from svn.freebsd.org (svn.freebsd.org [IPv6:2001:1900:2254:2068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 3AF1C2176; Fri, 6 Jun 2014 10:50:15 +0000 (UTC) Received: from svn.freebsd.org ([127.0.1.70]) by svn.freebsd.org (8.14.8/8.14.8) with ESMTP id s56AoFBm061844; Fri, 6 Jun 2014 10:50:15 GMT (envelope-from luigi@svn.freebsd.org) Received: (from luigi@localhost) by svn.freebsd.org (8.14.8/8.14.8/Submit) id s56AoFfH061843; Fri, 6 Jun 2014 10:50:15 GMT (envelope-from luigi@svn.freebsd.org) Message-Id: <201406061050.s56AoFfH061843@svn.freebsd.org> From: Luigi Rizzo Date: Fri, 6 Jun 2014 10:50:15 +0000 (UTC) To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-head@freebsd.org Subject: svn commit: r267151 - head/sys/dev/netmap X-SVN-Group: head MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-src-all@freebsd.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: "SVN commit messages for the entire src tree \(except for " user" and " projects" \)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 06 Jun 2014 10:50:15 -0000 Author: luigi Date: Fri Jun 6 10:50:14 2014 New Revision: 267151 URL: http://svnweb.freebsd.org/changeset/base/267151 Log: add checks for invalid buffer pointers and lengths Modified: head/sys/dev/netmap/netmap_vale.c Modified: head/sys/dev/netmap/netmap_vale.c ============================================================================== --- head/sys/dev/netmap/netmap_vale.c Fri Jun 6 10:40:20 2014 (r267150) +++ head/sys/dev/netmap/netmap_vale.c Fri Jun 6 10:50:14 2014 (r267151) @@ -959,6 +959,14 @@ nm_bdg_preflush(struct netmap_vp_adapter ft[ft_i].ft_next = NM_FT_NULL; buf = ft[ft_i].ft_buf = (slot->flags & NS_INDIRECT) ? (void *)(uintptr_t)slot->ptr : BDG_NMB(&na->up, slot); + if (unlikely(buf == NULL)) { + RD(5, "NULL %s buffer pointer from %s slot %d len %d", + (slot->flags & NS_INDIRECT) ? "INDIRECT" : "DIRECT", + kring->name, j, ft[ft_i].ft_len); + buf = ft[ft_i].ft_buf = NMB_VA(0); /* the 'null' buffer */ + ft[ft_i].ft_len = 0; + ft[ft_i].ft_flags = 0; + } __builtin_prefetch(buf); ++ft_i; if (slot->flags & NS_MOREFRAG) { @@ -1312,6 +1320,7 @@ nm_bdg_flush(struct nm_bdg_fwd *ft, u_in needed = d->bq_len + brddst->bq_len; if (unlikely(dst_na->virt_hdr_len != na->virt_hdr_len)) { + RD(3, "virt_hdr_mismatch, src %d len %d", na->virt_hdr_len, dst_na->virt_hdr_len); /* There is a virtio-net header/offloadings mismatch between * source and destination. The slower mismatch datapath will * be used to cope with all the mismatches. @@ -1412,6 +1421,11 @@ retry: /* round to a multiple of 64 */ copy_len = (copy_len + 63) & ~63; + if (unlikely(copy_len > NETMAP_BUF_SIZE || + copy_len > NETMAP_BUF_SIZE)) { + RD(5, "invalid len %d, down to 64", (int)copy_len); + copy_len = dst_len = 64; // XXX + } if (ft_p->ft_flags & NS_INDIRECT) { if (copyin(src, dst, copy_len)) { // invalid user pointer, pretend len is 0