From owner-freebsd-current Fri Mar 31 09:33:01 1995 Return-Path: current-owner Received: (from majordom@localhost) by freefall.cdrom.com (8.6.10/8.6.6) id JAA28397 for current-outgoing; Fri, 31 Mar 1995 09:33:01 -0800 Received: from ansley.com ([155.229.16.182]) by freefall.cdrom.com (8.6.10/8.6.6) with ESMTP id JAA28390 for ; Fri, 31 Mar 1995 09:32:53 -0800 Received: (from gja@localhost) by ansley.com (8.6.9/8.6.9) id MAA02964 for freebsd-current@freebsd.org; Fri, 31 Mar 1995 12:32:57 -0500 Date: Fri, 31 Mar 1995 12:32:57 -0500 From: Greg Ansley Message-Id: <199503311732.MAA02964@ansley.com> To: freebsd-current@FreeBSD.org Subject: FIX for bpf_filter.c Sender: current-owner@FreeBSD.org Precedence: bulk Could someone please commit this patch for the bpf_filter option. In rare cases, when the filter specified accesses an multi-byte value that is split across mbuf's, the value loaded is incorrect. And if you are very unlucky (like me) it will index off the end of the mbuf and into an unallocated page and panic the system. If you look at the code you will discover the the index *k* is added to the pointer *cp* and the used AGAIN as a subscript. Greg Ansley Ansley & Associates, Inc. In /usr/src/net: --- bpf_filter.c~ Fri Mar 31 12:25:10 1995 +++ bpf_filter.c Fri Mar 31 12:26:28 1995 @@ -112,14 +112,14 @@ switch (len - k) { case 1: - return (cp[k] << 24) | (np[0] << 16) | (np[1] << 8) | np[2]; + return (cp[0] << 24) | (np[0] << 16) | (np[1] << 8) | np[2]; case 2: - return (cp[k] << 24) | (cp[k + 1] << 16) | (np[0] << 8) | + return (cp[0] << 24) | (cp[1] << 16) | (np[0] << 8) | np[1]; default: - return (cp[k] << 24) | (cp[k + 1] << 16) | (cp[k + 2] << 8) | + return (cp[0] << 24) | (cp[1] << 16) | (cp[2] << 8) | np[0]; } bad: @@ -153,7 +153,7 @@ if (m0 == 0) goto bad; *err = 0; - return (cp[k] << 8) | mtod(m0, u_char *)[0]; + return (cp[0] << 8) | mtod(m0, u_char *)[0]; bad: *err = 1; return 0;