From owner-svn-src-stable@FreeBSD.ORG Mon Apr 4 20:41:35 2011 Return-Path: Delivered-To: svn-src-stable@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id E0077106566C; Mon, 4 Apr 2011 20:41:35 +0000 (UTC) (envelope-from yongari@FreeBSD.org) Received: from svn.freebsd.org (svn.freebsd.org [IPv6:2001:4f8:fff6::2c]) by mx1.freebsd.org (Postfix) with ESMTP id CE8118FC08; Mon, 4 Apr 2011 20:41:35 +0000 (UTC) Received: from svn.freebsd.org (localhost [127.0.0.1]) by svn.freebsd.org (8.14.3/8.14.3) with ESMTP id p34KfZvX095175; Mon, 4 Apr 2011 20:41:35 GMT (envelope-from yongari@svn.freebsd.org) Received: (from yongari@localhost) by svn.freebsd.org (8.14.3/8.14.3/Submit) id p34KfZOp095173; Mon, 4 Apr 2011 20:41:35 GMT (envelope-from yongari@svn.freebsd.org) Message-Id: <201104042041.p34KfZOp095173@svn.freebsd.org> From: Pyun YongHyeon Date: Mon, 4 Apr 2011 20:41:35 +0000 (UTC) To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-stable@freebsd.org, svn-src-stable-7@freebsd.org X-SVN-Group: stable-7 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Cc: Subject: svn commit: r220343 - stable/7/sys/dev/fxp X-BeenThere: svn-src-stable@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: SVN commit messages for all the -stable branches of the src tree List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 04 Apr 2011 20:41:36 -0000 Author: yongari Date: Mon Apr 4 20:41:35 2011 New Revision: 220343 URL: http://svn.freebsd.org/changeset/base/220343 Log: MFC r220103: Normally fxp(4) does not receive bad frames but promiscuous mode makes controller to receive bad frames and i82557 will also receive bad frames since fxp(4) have to receive VLAN oversized frames. If fxp(4) encounter DMA overrun error, the received frame size would be 0 so the actual frame size after checksum field extraction the length would be negative(-2). Due to signed/unsigned comparison used in driver, frame length check did not work for DMA overrun frames. Correct this by casting it to int. While I'm here explicitly check DMA overrun error and discard the frame regardless of result of received frame length check. Reported by: n_hibma Tested by: n_hibma Modified: stable/7/sys/dev/fxp/if_fxp.c Directory Properties: stable/7/sys/ (props changed) stable/7/sys/cddl/contrib/opensolaris/ (props changed) stable/7/sys/contrib/dev/acpica/ (props changed) stable/7/sys/contrib/pf/ (props changed) Modified: stable/7/sys/dev/fxp/if_fxp.c ============================================================================== --- stable/7/sys/dev/fxp/if_fxp.c Mon Apr 4 20:40:39 2011 (r220342) +++ stable/7/sys/dev/fxp/if_fxp.c Mon Apr 4 20:41:35 2011 (r220343) @@ -1937,11 +1937,11 @@ fxp_intr_body(struct fxp_softc *sc, stru /* Adjust for appended checksum bytes. */ total_len -= 2; } - if (total_len < sizeof(struct ether_header) || + if (total_len < (int)sizeof(struct ether_header) || total_len > (MCLBYTES - RFA_ALIGNMENT_FUDGE - sc->rfa_size) || status & (FXP_RFA_STATUS_CRC | - FXP_RFA_STATUS_ALIGN)) { + FXP_RFA_STATUS_ALIGN | FXP_RFA_STATUS_OVERRUN)) { m_freem(m); fxp_add_rfabuf(sc, rxp); continue;