Date: Tue, 24 Jun 1997 11:10:30 +0400 From: "Alexander V. Tischenko" <flash@intech.hway.ru> To: "Ian Stephenson" <ians@cam-ani.co.uk>, <freebsd-hackers@FreeBSD.ORG> Subject: Re: BPF bug Message-ID: <199706240713.LAA02870@thorin.hway.ru>
next in thread | raw e-mail | index | archive | help
Not so in 2.2.1-RELEASE:
libkern.h:static __inline u_int min(u_int a, u_int b) { return (a < b ? a :
b);}
----------
> From: Ian Stephenson <ians@cam-ani.co.uk>
> To: freebsd-hackers@FreeBSD.ORG
> Subject: BPF bug
> Date: 23 ÉÀÎÑ 1997 Ç. 16:19
>
> In FreeBSD-current/src/sys/net/bpf.c
>
> static void
> catchpacket(d, pkt, pktlen, snaplen, cpfn)
> register struct bpf_d *d;
> register u_char *pkt;
> register u_int pktlen, snaplen;
> register void (*cpfn)(const void *, void *, u_int);
> {
> register struct bpf_hdr *hp;
> register int totlen, curlen;
> register int hdrlen = d->bd_bif->bif_hdrlen;
> /*
> * Figure out how many bytes to move. If the packet is
> * greater or equal to the snapshot length, transfer that
> * much. Otherwise, transfer the whole packet (unless
> * we hit the buffer size limit).
> */
> totlen = hdrlen + min(snaplen, pktlen);
> ...
> }
>
> appears to be doing a signed comparison of insigned ints.
>
> This definately crashes in 2.1.6 (I can't upgrade yet, so can't
> verify this is still a problem) when snaplen = 0xffffffff.
>
> replacing
> totlen = hdrlen + min(snaplen, pktlen);
> with
> if(snaplen < pktlen)
> totlen = hdrlen + snaplen;
> else
> totlen = hdrlen + pktlen;
> fixes the problem for me...
>
> $an
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199706240713.LAA02870>