From f276d25e5cc4e1e566da9dba2fd405c39d72c153 Mon Sep 17 00:00:00 2001
From: damien <damien@openbsd.org>
Date: Tue, 3 Oct 2006 19:48:21 +0000
Subject: make sure to call SLIST_INIT on sc->rx_freelist. sanity check length
 field in RX descriptors.

---
 sys/dev/usb/if_uath.c | 16 +++++++++++-----
 1 file changed, 11 insertions(+), 5 deletions(-)

(limited to 'sys/dev/usb/if_uath.c')

diff --git a/sys/dev/usb/if_uath.c b/sys/dev/usb/if_uath.c
index 56a86f71780..3a30a58d718 100644
--- a/sys/dev/usb/if_uath.c
+++ b/sys/dev/usb/if_uath.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: if_uath.c,v 1.10 2006/09/20 19:47:17 damien Exp $	*/
+/*	$OpenBSD: if_uath.c,v 1.11 2006/10/03 19:48:21 damien Exp $	*/
 
 /*-
  * Copyright (c) 2006
@@ -114,8 +114,8 @@ static const struct uath_type {
 	UATH_DEV_UX(DLINK,		DWLAG122),
 	UATH_DEV_UX(DLINK,		DWLAG132),	
 	UATH_DEV_UG(DLINK,		DWLG132),
-	UATH_DEV_UG(GIGASET,		SMCWUSBTG),
 	UATH_DEV_UG(GIGASET,		AR5523),
+	UATH_DEV_UG(GIGASET,		SMCWUSBTG),
 	UATH_DEV_UG(GLOBALSUN,		AR5523_1),
 	UATH_DEV_UX(GLOBALSUN,		AR5523_2),
 	UATH_DEV_UX(NETGEAR,		WG111U),
@@ -585,6 +585,7 @@ uath_alloc_rx_data_list(struct uath_softc *sc)
 {
 	int i, error;
 
+	SLIST_INIT(&sc->rx_freelist);
 	for (i = 0; i < UATH_RX_DATA_POOL_COUNT; i++) {
 		struct uath_rx_data *data = &sc->rx_data[i];
 
@@ -1193,9 +1194,8 @@ uath_data_rxeof(usbd_xfer_handle xfer, usbd_private_handle priv,
 	}
 	usbd_get_xfer_status(xfer, NULL, NULL, &len, NULL);
 
-	if (len < UATH_MIN_RXBUFSZ || len > sc->rxbufsz) {
-		DPRINTF(("wrong xfer size: !(%d <= %d <= %d)\n",
-		    UATH_MIN_RXBUFSZ, len, sc->rxbufsz));
+	if (len < UATH_MIN_RXBUFSZ) {
+		DPRINTF(("wrong xfer size (len=%d)\n", len));
 		ifp->if_ierrors++;
 		goto skip;
 	}
@@ -1206,6 +1206,12 @@ uath_data_rxeof(usbd_xfer_handle xfer, usbd_private_handle priv,
 	desc = (struct uath_rx_desc *)
 	    (data->buf + len - sizeof (struct uath_rx_desc));
 
+	if (betoh32(desc->len) > sc->rxbufsz) {
+		DPRINTF(("bad descriptor (len=%d)\n", betoh32(desc->len)));
+		ifp->if_ierrors++;
+		goto skip;
+	}
+
 	/* there's probably a "bad CRC" flag somewhere in the descriptor.. */
 
 	MGETHDR(m, M_DONTWAIT, MT_DATA);
-- 
cgit v1.2.3-59-g8ed1b