aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorGordon Tetlow <gordon@FreeBSD.org>2020-09-15 21:42:05 +0000
committerGordon Tetlow <gordon@FreeBSD.org>2020-09-15 21:42:05 +0000
commit1f5f8963a7d14279a7b4b058e3aaf444179d627c (patch)
tree43635f099216fc185c2388ab5e64565c70ae74db
parent145fad722bf818e7924a3af3d383ee21d357c737 (diff)
downloadsrc-1f5f8963a7d14279a7b4b058e3aaf444179d627c.tar.gz
src-1f5f8963a7d14279a7b4b058e3aaf444179d627c.zip
Fix ure device driver susceptible to packet-in-packet attack.
Approved by: so Approved by: re (implicit for releng/12.2) Security: FreeBSD-SA-20:27.ure Security: CVE-2020-7464
Notes
Notes: svn path=/releng/12.1/; revision=365778
-rw-r--r--sys/dev/usb/net/if_ure.c7
1 files changed, 4 insertions, 3 deletions
diff --git a/sys/dev/usb/net/if_ure.c b/sys/dev/usb/net/if_ure.c
index 24ce36b64a62..c6284b423d5c 100644
--- a/sys/dev/usb/net/if_ure.c
+++ b/sys/dev/usb/net/if_ure.c
@@ -784,9 +784,10 @@ ure_rxfilter(struct usb_ether *ue)
URE_LOCK_ASSERT(sc, MA_OWNED);
- rxmode = URE_RCR_APM;
- if (ifp->if_flags & IFF_BROADCAST)
- rxmode |= URE_RCR_AB;
+ rxmode = ure_read_4(sc, URE_PLA_RCR, URE_MCU_TYPE_PLA);
+ rxmode &= ~(URE_RCR_AAP | URE_RCR_AM);
+ rxmode |= URE_RCR_APM; /* accept physical match packets */
+ rxmode |= URE_RCR_AB; /* always accept broadcasts */
if (ifp->if_flags & (IFF_ALLMULTI | IFF_PROMISC)) {
if (ifp->if_flags & IFF_PROMISC)
rxmode |= URE_RCR_AAP;