From 991ae908e3a1e89411bf7273f034ceb8db4b8f80 Mon Sep 17 00:00:00 2001 From: Pyun YongHyeon Date: Mon, 28 Mar 2011 16:58:48 +0000 Subject: [PATCH] Normally fxp(4) does not receive bad frames but promiscuous mode makes controller to receive bad frames and i82557 will also receive bad frames since fxp(4) have to receive VLAN oversized frames. If fxp(4) encounter DMA overrun error, the received frame size would be 0 so the actual frame size after checksum field extraction the length would be negative(-2). Due to signed/unsigned comparison used in driver, frame length check did not work for DMA overrun frames. Correct this by casting it to int. While I'm here explicitly check DMA overrun error and discard the frame regardless of result of received frame length check. Reported by: n_hibma Tested by: n_hibma MFC after: 1 week --- sys/dev/fxp/if_fxp.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/sys/dev/fxp/if_fxp.c b/sys/dev/fxp/if_fxp.c index fc22a967ed3..70d863c255c 100644 --- a/sys/dev/fxp/if_fxp.c +++ b/sys/dev/fxp/if_fxp.c @@ -1941,11 +1941,11 @@ fxp_intr_body(struct fxp_softc *sc, struct ifnet *ifp, uint8_t statack, /* Adjust for appended checksum bytes. */ total_len -= 2; } - if (total_len < sizeof(struct ether_header) || + if (total_len < (int)sizeof(struct ether_header) || total_len > (MCLBYTES - RFA_ALIGNMENT_FUDGE - sc->rfa_size) || status & (FXP_RFA_STATUS_CRC | - FXP_RFA_STATUS_ALIGN)) { + FXP_RFA_STATUS_ALIGN | FXP_RFA_STATUS_OVERRUN)) { m_freem(m); fxp_add_rfabuf(sc, rxp); continue;