Date: Sun, 11 Jan 2004 22:40:03 -0500 From: David Gilbert <dgilbert@dclg.ca> To: Andre Oppermann <andre@freebsd.org> Cc: David Gilbert <dgilbert@dclg.ca> Subject: Re: off-by-one error in ip_fragment, recently. Message-ID: <16386.5907.94237.791025@canoe.dclg.ca> In-Reply-To: <40008FCD.90525A33@freebsd.org> References: <16384.14322.83258.940369@canoe.dclg.ca> <40008783.330FAFF4@freebsd.org> <40008FCD.90525A33@freebsd.org>
next in thread | previous in thread | raw e-mail | index | archive | help
Further in followup to the ip_fragment() bug, at the crash, off = 1500, len = 1480 and ip->ip_len = 21248. So m_copym() is being called with off > len. Dave. -- ============================================================================ |David Gilbert, Independent Contractor. | Two things can only be | |Mail: dave@daveg.ca | equal if and only if they | |http://daveg.ca | are precisely opposite. | =========================================================GLO================
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?16386.5907.94237.791025>