From owner-freebsd-hackers@FreeBSD.ORG Fri Jan 11 07:42:35 2013 Return-Path: Delivered-To: freebsd-hackers@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by hub.freebsd.org (Postfix) with ESMTP id BBD6FB66 for ; Fri, 11 Jan 2013 07:42:35 +0000 (UTC) (envelope-from jacques.fourie@gmail.com) Received: from mail-la0-f48.google.com (mail-la0-f48.google.com [209.85.215.48]) by mx1.freebsd.org (Postfix) with ESMTP id 4E6E874D for ; Fri, 11 Jan 2013 07:42:35 +0000 (UTC) Received: by mail-la0-f48.google.com with SMTP id ej20so1482154lab.35 for ; Thu, 10 Jan 2013 23:42:34 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:date:message-id:subject:from:to:content-type; bh=dukEiLiu3lhh/rAvM3eScUKnY6L4/swhqjusfml3tW0=; b=HQqEbvvhYR2PkQ+Lg/doH+/DHZW++RZfnJzTneSESsZhcL1EZiGtnWgdt9K0tm9Bu1 AMlr16/D/UDriAvAp8OtFgMIjDi+6z97i24OWVj8ym7xpwrh604ogg5u7B07fJ6NG/0J e35v0mww4eHI3yUzXkkeQLGla3QuF38DvAVmUg09dLiJo405CMgMHF/wlCq2qOUnGWED TCdafaZf9NRpINMFGiRikF0oK8kc3QhcALehvUWdtTI0utliuZsGQAMq4vloDyV8C5gC TBSeKZW+azJxmY/SF8sbZZWwLtppJZ2T7RT3UZU/Cgs82K6I+/4LiWyAecU8+jc6duC2 HEtA== MIME-Version: 1.0 Received: by 10.112.50.138 with SMTP id c10mr30583764lbo.104.1357889672191; Thu, 10 Jan 2013 23:34:32 -0800 (PST) Received: by 10.152.13.36 with HTTP; Thu, 10 Jan 2013 23:34:32 -0800 (PST) Date: Fri, 11 Jan 2013 09:34:32 +0200 Message-ID: Subject: Possible bug in m_split() when splitting M_EXT mbufs From: Jacques Fourie To: Hackers freeBSD Content-Type: text/plain; charset=ISO-8859-1 X-Content-Filtered-By: Mailman/MimeDel 2.1.14 X-BeenThere: freebsd-hackers@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: Technical Discussions relating to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 11 Jan 2013 07:42:35 -0000 Hi, Could someone please verify if m_split as in svn rev 245286 is doing the right thing in the scenario where a mbuf chain is split with len0 falling on a mbuf boundary and the mbuf in question being a M_EXT mbuf? Consider the following example where m0 is a mbuf chain consisting of 2 M_EXT mbufs, both 1448 bytes in length. Let len0 be 1448. The 'len0 > m->m_len' check will be false so the for loop will not be entered in this case. We now have len = 1448 and remain = 0 and m still points to the first mbuf in the chain. Also assume that m0 is a pkthdr mbuf. A new pkthdr mbuf n will be allocated and initialized before the following piece of code is executed : extpacket: if (m->m_flags & M_EXT) { n->m_data = m->m_data + len; mb_dupcl(n, m); } else { bcopy(mtod(m, caddr_t) + len, mtod(n, caddr_t), remain); } n->m_len = remain; m->m_len = len; n->m_next = m->m_next; m->m_next = NULL; return (n); As m is a M_EXT mbuf the code in the if() clause will be executed. The problem is that m still points to the first mbuf so effectively the data pointer for n is assigned to the end of m's data pointer. It should actually point to the start of the data pointer of the next mbuf in the original m0 chain, right?