From owner-freebsd-hackers Tue Jun 24 00:22:19 1997 Return-Path: Received: (from root@localhost) by hub.freebsd.org (8.8.5/8.8.5) id AAA29817 for hackers-outgoing; Tue, 24 Jun 1997 00:22:19 -0700 (PDT) Received: from thorin.hway.ru (root@thorin.hway.ru [194.87.58.130]) by hub.freebsd.org (8.8.5/8.8.5) with ESMTP id AAA29810 for ; Tue, 24 Jun 1997 00:22:14 -0700 (PDT) Received: from flash.intech.hway.ru (flash.intech.hway.ru [194.87.58.132]) by thorin.hway.ru (8.8.6/8.8.6) with ESMTP id LAA02870; Tue, 24 Jun 1997 11:13:55 +0400 (MSD) Message-Id: <199706240713.LAA02870@thorin.hway.ru> From: "Alexander V. Tischenko" To: "Ian Stephenson" , Subject: Re: BPF bug Date: Tue, 24 Jun 1997 11:10:30 +0400 X-MSMail-Priority: Normal X-Priority: 3 X-Mailer: Microsoft Internet Mail 4.70.1161 MIME-Version: 1.0 Content-Type: text/plain; charset=KOI8-R Content-Transfer-Encoding: 8bit Sender: owner-hackers@FreeBSD.ORG X-Loop: FreeBSD.org Precedence: bulk Not so in 2.2.1-RELEASE: libkern.h:static __inline u_int min(u_int a, u_int b) { return (a < b ? a : b);} ---------- > From: Ian Stephenson > To: freebsd-hackers@FreeBSD.ORG > Subject: BPF bug > Date: 23 ÉÀÎÑ 1997 Ç. 16:19 > > In FreeBSD-current/src/sys/net/bpf.c > > static void > catchpacket(d, pkt, pktlen, snaplen, cpfn) > register struct bpf_d *d; > register u_char *pkt; > register u_int pktlen, snaplen; > register void (*cpfn)(const void *, void *, u_int); > { > register struct bpf_hdr *hp; > register int totlen, curlen; > register int hdrlen = d->bd_bif->bif_hdrlen; > /* > * Figure out how many bytes to move. If the packet is > * greater or equal to the snapshot length, transfer that > * much. Otherwise, transfer the whole packet (unless > * we hit the buffer size limit). > */ > totlen = hdrlen + min(snaplen, pktlen); > ... > } > > appears to be doing a signed comparison of insigned ints. > > This definately crashes in 2.1.6 (I can't upgrade yet, so can't > verify this is still a problem) when snaplen = 0xffffffff. > > replacing > totlen = hdrlen + min(snaplen, pktlen); > with > if(snaplen < pktlen) > totlen = hdrlen + snaplen; > else > totlen = hdrlen + pktlen; > fixes the problem for me... > > $an