Date: Mon, 23 Jun 97 13:19:48 +0100 From: Ian Stephenson <ians@cam-ani.co.uk> To: freebsd-hackers@FreeBSD.ORG Subject: BPF bug Message-ID: <199706231219.NAA04824@louie.cam-ani.co.uk>
next in thread | raw e-mail | index | archive | help
In FreeBSD-current/src/sys/net/bpf.c
static void
catchpacket(d, pkt, pktlen, snaplen, cpfn)
register struct bpf_d *d;
register u_char *pkt;
register u_int pktlen, snaplen;
register void (*cpfn)(const void *, void *, u_int);
{
register struct bpf_hdr *hp;
register int totlen, curlen;
register int hdrlen = d->bd_bif->bif_hdrlen;
/*
* Figure out how many bytes to move. If the packet is
* greater or equal to the snapshot length, transfer that
* much. Otherwise, transfer the whole packet (unless
* we hit the buffer size limit).
*/
totlen = hdrlen + min(snaplen, pktlen);
...
}
appears to be doing a signed comparison of insigned ints.
This definately crashes in 2.1.6 (I can't upgrade yet, so can't
verify this is still a problem) when snaplen = 0xffffffff.
replacing
totlen = hdrlen + min(snaplen, pktlen);
with
if(snaplen < pktlen)
totlen = hdrlen + snaplen;
else
totlen = hdrlen + pktlen;
fixes the problem for me...
$an
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199706231219.NAA04824>