14625 Bhyve e82545 device emulation out-of-bounds write

Reviewed by: Jason King <jason.brian.king+illumos@gmail.com> Reviewed by: Toomas Soome <tsoome@me.com> Approved by: Dan McDonald <danmcd@joyent.com>
author: Andy Fiddaman <omnios@citrus-it.co.uk> 2022-04-06 15:41:07 +0000
committer: Andy Fiddaman <omnios@citrus-it.co.uk> 2022-04-06 17:40:49 +0000
commit: 7271f09891bb39b64f2a58632c92c1456ed9cf31 (patch)
tree: 17d4c3d95be544558bf4c1fa3685573ee43c50f9
parent: 57cf819efa50a6a3b3a478c25a098c29722eb358 (diff)
download: illumos-joyent-7271f09891bb39b64f2a58632c92c1456ed9cf31.tar.gz
1 files changed, 6 insertions, 3 deletions
diff --git a/usr/src/cmd/bhyve/pci_e82545.c b/usr/src/cmd/bhyve/pci_e82545.c
index 25cf0a48e7..f4eaa0c93b 100644
--- a/usr/src/cmd/bhyve/pci_e82545.c
+++ b/usr/src/cmd/bhyve/pci_e82545.c
@@ -1279,9 +1279,7 @@ e82545_transmit(struct e82545_softc *sc, uint16_t head, uint16_t tail,
 			goto done;
 		}
 		if (sc->esc_txctx.cmd_and_length & E1000_TXD_CMD_TCP) {
-			if (hdrlen < ckinfo[1].ck_start + 14 ||
-			    (ckinfo[1].ck_valid &&
-			    hdrlen < ckinfo[1].ck_off + 2)) {
+			if (hdrlen < ckinfo[1].ck_start + 14) {
 				WPRINTF("TSO hdrlen too small for TCP fields "
 				    "(%d) -- dropped", hdrlen);
 				goto done;
@@ -1293,6 +1291,11 @@ e82545_transmit(struct e82545_softc *sc, uint16_t head, uint16_t tail,
 				goto done;
 			}
 		}
+		if (ckinfo[1].ck_valid && hdrlen < ckinfo[1].ck_off + 2) {
+			WPRINTF("TSO hdrlen too small for TCP/UDP fields "
+			    "(%d) -- dropped", hdrlen);
+			goto done;
+		}
 	}
 
 	/* Allocate, fill and prepend writable header vector. */
author	Andy Fiddaman <omnios@citrus-it.co.uk>	2022-04-06 15:41:07 +0000
committer	Andy Fiddaman <omnios@citrus-it.co.uk>	2022-04-06 17:40:49 +0000
commit	7271f09891bb39b64f2a58632c92c1456ed9cf31 (patch)
tree	17d4c3d95be544558bf4c1fa3685573ee43c50f9
parent	57cf819efa50a6a3b3a478c25a098c29722eb358 (diff)
download	illumos-joyent-7271f09891bb39b64f2a58632c92c1456ed9cf31.tar.gz