From: David van Moolenbroek <david@minix3.org>
Date: Wed, 21 Jul 2010 13:47:50 +0000 (+0000)
Subject: inet: a little more resilience against misbehaving drivers
X-Git-Tag: v3.1.8~167
X-Git-Url: http://zhaoyanbai.com/repos/Bv9ARM.ch07.html?a=commitdiff_plain;h=220eafe705588e729eb120201f9f3256a28a45a1;p=minix.git

inet: a little more resilience against misbehaving drivers
---

diff --git a/servers/inet/mnx_eth.c b/servers/inet/mnx_eth.c
index fed315dbb..18bf6b152 100644
--- a/servers/inet/mnx_eth.c
+++ b/servers/inet/mnx_eth.c
@@ -596,11 +596,38 @@ PRIVATE void read_int(eth_port, count)
 eth_port_t *eth_port;
 int count;
 {
-	acc_t *pack, *cut_pack;
+	acc_t *pack, *pack_ptr, *cut_pack;
+	iovec_s_t *iovec;
+	int i, r;
+
+	/* A buggy driver might try to feed us a reply for a request we never
+	 * sent. Don't let this cause a crash further up.
+	 */
+	if (!(eth_port->etp_flags & EPF_READ_IP))
+	{
+		printf("mnx_eth`read_int: read reply with no read going on\n");
+		return;
+	}
 
 	pack= eth_port->etp_rd_pack;
 	eth_port->etp_rd_pack= NULL;
 
+	/* Invalidate the grants first, so that the ethernet driver can no
+	 * longer modify the contents of the packet.
+	 */
+	iovec= eth_port->etp_osdep.etp_rd_iovec;
+	for (i=0, pack_ptr= pack; i<RD_IOVEC && pack_ptr;
+		i++, pack_ptr= pack_ptr->acc_next)
+	{
+		r= cpf_setgrant_disable(iovec[i].iov_grant);
+		if (r != 0)
+		{
+			ip_panic((
+			"mnx_eth`read_int: cpf_setgrant_disable failed: %d\n",
+				errno));
+		}
+	}
+
 	if (count < ETH_MIN_PACK_SIZE)
 	{
 		printf("mnx_eth`read_int: packet size too small (%d)\n",