From 7271f09891bb39b64f2a58632c92c1456ed9cf31 Mon Sep 17 00:00:00 2001
From: Andy Fiddaman <omnios@citrus-it.co.uk>
Date: Wed, 6 Apr 2022 15:41:07 +0000
Subject: 14625 Bhyve e82545 device emulation out-of-bounds write Reviewed by:
 Jason King <jason.brian.king+illumos@gmail.com> Reviewed by: Toomas Soome
 <tsoome@me.com> Approved by: Dan McDonald <danmcd@joyent.com>

---
 usr/src/cmd/bhyve/pci_e82545.c | 9 ++++++---
 1 file changed, 6 insertions(+), 3 deletions(-)

diff --git a/usr/src/cmd/bhyve/pci_e82545.c b/usr/src/cmd/bhyve/pci_e82545.c
index 25cf0a48e7..f4eaa0c93b 100644
--- a/usr/src/cmd/bhyve/pci_e82545.c
+++ b/usr/src/cmd/bhyve/pci_e82545.c
@@ -1279,9 +1279,7 @@ e82545_transmit(struct e82545_softc *sc, uint16_t head, uint16_t tail,
 			goto done;
 		}
 		if (sc->esc_txctx.cmd_and_length & E1000_TXD_CMD_TCP) {
-			if (hdrlen < ckinfo[1].ck_start + 14 ||
-			    (ckinfo[1].ck_valid &&
-			    hdrlen < ckinfo[1].ck_off + 2)) {
+			if (hdrlen < ckinfo[1].ck_start + 14) {
 				WPRINTF("TSO hdrlen too small for TCP fields "
 				    "(%d) -- dropped", hdrlen);
 				goto done;
@@ -1293,6 +1291,11 @@ e82545_transmit(struct e82545_softc *sc, uint16_t head, uint16_t tail,
 				goto done;
 			}
 		}
+		if (ckinfo[1].ck_valid && hdrlen < ckinfo[1].ck_off + 2) {
+			WPRINTF("TSO hdrlen too small for TCP/UDP fields "
+			    "(%d) -- dropped", hdrlen);
+			goto done;
+		}
 	}
 
 	/* Allocate, fill and prepend writable header vector. */
-- 
cgit v1.2.3