Attachment 224927 Details for Bug 255863 – add new variables to avoid uaf.

[patch] add new variables to avoid uaf.

0001-dev-cxgb-uaf-get_packet.patch (text/plain), 1.19 KB, created by lylgood on 2021-05-14 10:11:06 UTC

(hide)

Description:

Filename:

MIME Type:

Creator: lylgood

Created: 2021-05-14 10:11:06 UTC

Size: 1.19 KB

patch

obsolete

>diff --git a/sys/dev/cxgb/cxgb_sge.c b/sys/dev/cxgb/cxgb_sge.c
>index f13d2f03180c..8f4afbe48e2a 100644
>--- a/sys/dev/cxgb/cxgb_sge.c
>+++ b/sys/dev/cxgb/cxgb_sge.c
>@@ -2716,6 +2716,7 @@ get_packet(adapter_t *adap, unsigned int drop_thres, struct sge_qset *qs,
> 	caddr_t cl;
> 	struct mbuf *m;
> 	int ret = 0;
>+	int m_len,m_pkthdr_len;
> 
> 	mask = fl->size - 1;
> 	prefetch(fl->sdesc[(cidx + 1) & mask].m);
>@@ -2757,7 +2758,10 @@ get_packet(adapter_t *adap, unsigned int drop_thres, struct sge_qset *qs,
> 			m_cljset(m, cl, fl->type);
> 		}
> 		m->m_len = len;
>-	}		
>+	}
>+
>+	m_len = m->m_len;
>+	m_pkthdr_len = m->m_pkthdr.len;
> 	switch(sopeop) {
> 	case RSPQ_SOP_EOP:
> 		ret = 1;
>@@ -2765,6 +2769,7 @@ get_packet(adapter_t *adap, unsigned int drop_thres, struct sge_qset *qs,
> 	case RSPQ_SOP:
> 		mh->mh_head = mh->mh_tail = m;
> 		m->m_pkthdr.len = len;
>+		m_pkthdr_len = m->m_pkthdr.len;
> 		break;
> 	case RSPQ_EOP:
> 		ret = 1;
>@@ -2781,7 +2786,7 @@ get_packet(adapter_t *adap, unsigned int drop_thres, struct sge_qset *qs,
> 		break;
> 	}
> 	if (cxgb_debug)
>-		printf("len=%d pktlen=%d\n", m->m_len, m->m_pkthdr.len);
>+		printf("len=%d pktlen=%d\n", m_len, m_pkthdr_len);
> done:
> 	if (++fl->cidx == fl->size)
> 		fl->cidx = 0;

Actions: View | Diff

Attachments on bug 255863: 224927