Date: Wed, 27 Aug 2008 15:38:04 GMT From: Sam Leffler <sam@FreeBSD.org> To: Perforce Change Reviews <perforce@freebsd.org> Subject: PERFORCE change 148622 for review Message-ID: <200808271538.m7RFc4ks001161@repoman.freebsd.org>
next in thread | raw e-mail | index | archive | help
http://perforce.freebsd.org/chv.cgi?CH=148622 Change 148622 by sam@sam_ebb on 2008/08/27 15:37:44 Fix mic calculation when final data is entirely in a trailing mbuf; it's unclear if this can happen on freebsd but does appear on netbsd. Identified by Matthias Drochner who came up with an initial change that we then revised together. Reviewed by: thompsa, sephe, avatar Affected files ... .. //depot/projects/vap/sys/net80211/ieee80211_crypto_tkip.c#15 edit Differences ... ==== //depot/projects/vap/sys/net80211/ieee80211_crypto_tkip.c#15 (text+ko) ==== @@ -910,7 +910,17 @@ data += sizeof(uint32_t), space -= sizeof(uint32_t); data_len -= sizeof(uint32_t); } - if (data_len < sizeof(uint32_t)) + /* + * NB: when space is zero we make one more trip around + * the loop to advance to the next mbuf where there is + * data. This handles the case where there are 4*n + * bytes in an mbuf followed by <4 bytes in a later mbuf. + * By making an extra trip we'll drop out of the loop + * with m pointing at the mbuf with 3 bytes and space + * set as required by the remainder handling below. + */ + if (data_len == 0 || + (data_len < sizeof(uint32_t) && space != 0)) break; m = m->m_next; if (m == NULL) { @@ -957,6 +967,14 @@ space = m->m_len; } } + /* + * Catch degenerate cases like mbuf[4*n+1 bytes] followed by + * mbuf[2 bytes]. I don't believe these should happen; if they + * do then we'll need more involved logic. + */ + KASSERT(data_len <= space, + ("not enough data, data_len %u space %u\n", data_len, space)); + /* Last block and padding (0x5a, 4..7 x 0) */ switch (data_len) { case 0:
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200808271538.m7RFc4ks001161>