summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorJonathan Gray <jsg@cvs.openbsd.org>2022-03-23 13:03:37 +0000
committerJonathan Gray <jsg@cvs.openbsd.org>2022-03-23 13:03:37 +0000
commit54ecaa6398c4b94039f499fb5a592b08d95f9e68 (patch)
tree57d27756bf25bc45dca0394a7be279b1f30abb30
parentb775063e019622237d6e30609d8fb186cfda92de (diff)
KASSERT() that an id read from a descriptor is valid before using it
as an index into an array. Reported by Demi Marie Obenour of Invisible Things Lab. feedback and ok jmatthew@
Diffstat
-rw-r--r--sys/dev/pv/if_xnf.c6
1 files changed, 5 insertions, 1 deletions
diff --git a/sys/dev/pv/if_xnf.c b/sys/dev/pv/if_xnf.c
index 85210569d88..9661e02c327 100644
--- a/sys/dev/pv/if_xnf.c
+++ b/sys/dev/pv/if_xnf.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: if_xnf.c,v 1.67 2022/01/09 05:42:58 jsg Exp $ */
+/* $OpenBSD: if_xnf.c,v 1.68 2022/03/23 13:03:36 jsg Exp $ */
/*
* Copyright (c) 2015, 2016 Mike Belopuhov
@@ -720,6 +720,7 @@ xnf_txeof(struct xnf_softc *sc)
i = cons & (XNF_TX_DESC - 1);
txd = &txr->txr_desc[i];
id = txd->txd_rsp.txp_id;
+ KASSERT(id < XNF_TX_DESC);
txb = &sc->sc_tx_buf[id];
KASSERT(txb->txb_ndesc > 0);
@@ -777,6 +778,8 @@ xnf_rxeof(struct xnf_softc *sc)
flags = rxd->rxd_rsp.rxp_flags;
offset = rxd->rxd_rsp.rxp_offset;
+ KASSERT(id < XNF_RX_DESC);
+
dmap = sc->sc_rx_dmap[id];
bus_dmamap_sync(sc->sc_dmat, dmap, 0, 0,
BUS_DMASYNC_POSTREAD | BUS_DMASYNC_POSTWRITE);
@@ -862,6 +865,7 @@ xnf_rx_ring_fill(struct xnf_softc *sc)
rxd = &rxr->rxr_desc[i];
id = rxd->rxd_rsp.rxp_id;
+ KASSERT(id < XNF_RX_DESC);
if (sc->sc_rx_buf[id])
break;
m = MCLGETL(NULL, M_DONTWAIT, XNF_MCLEN);
generated by cgit v1.2.3 (git 2.25.1) at 2024-12-03 21:09:05 +0000