Date: Fri, 31 Mar 1995 12:32:57 -0500 From: Greg Ansley <gja@ansley.atlanta.com> To: freebsd-current@FreeBSD.org Subject: FIX for bpf_filter.c Message-ID: <199503311732.MAA02964@ansley.com>
next in thread | raw e-mail | index | archive | help
Could someone please commit this patch for the bpf_filter option.
In rare cases, when the filter specified accesses an multi-byte value that
is split across mbuf's, the value loaded is incorrect. And if you are very
unlucky (like me) it will index off the end of the mbuf and into an
unallocated page and panic the system.
If you look at the code you will discover the the index *k* is added to
the pointer *cp* and the used AGAIN as a subscript.
Greg Ansley
Ansley & Associates, Inc.
In /usr/src/net:
--- bpf_filter.c~ Fri Mar 31 12:25:10 1995
+++ bpf_filter.c Fri Mar 31 12:26:28 1995
@@ -112,14 +112,14 @@
switch (len - k) {
case 1:
- return (cp[k] << 24) | (np[0] << 16) | (np[1] << 8) | np[2];
+ return (cp[0] << 24) | (np[0] << 16) | (np[1] << 8) | np[2];
case 2:
- return (cp[k] << 24) | (cp[k + 1] << 16) | (np[0] << 8) |
+ return (cp[0] << 24) | (cp[1] << 16) | (np[0] << 8) |
np[1];
default:
- return (cp[k] << 24) | (cp[k + 1] << 16) | (cp[k + 2] << 8) |
+ return (cp[0] << 24) | (cp[1] << 16) | (cp[2] << 8) |
np[0];
}
bad:
@@ -153,7 +153,7 @@
if (m0 == 0)
goto bad;
*err = 0;
- return (cp[k] << 8) | mtod(m0, u_char *)[0];
+ return (cp[0] << 8) | mtod(m0, u_char *)[0];
bad:
*err = 1;
return 0;
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199503311732.MAA02964>