Date: Sat, 8 Apr 2000 22:34:40 -0500 (EST) From: "C. Stephen Gunn" <csg@dustdevil.waterspout.com> To: FreeBSD-gnats-submit@freebsd.org Subject: kern/17872: arpintr() fix followup Message-ID: <200004090334.WAA05395@dustdevil.waterspout.com>
next in thread | raw e-mail | index | archive | help
>Number: 17872 >Category: kern >Synopsis: arpintr() fix followup >Confidential: no >Severity: non-critical >Priority: medium >Responsible: freebsd-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: sw-bug >Submitter-Id: current-users >Arrival-Date: Sat Apr 8 20:30:01 PDT 2000 >Closed-Date: >Last-Modified: >Originator: C. Stephen Gunn >Release: FreeBSD 4.0-STABLE i386 >Organization: WaterSpout Communications, Inc. >Environment: FreeBSD 4.0-STABLE, FreeBSD 5-CURRENT >Description: My previous patch to arpintr() does too much work. I incorrectly assumed that since it was wrong to check m->m_len for the length of the entire mbuf chain, (completely forgetting m->mh_len), that I had to do all the work myself. I even made a comment about how silly it was to do all the work with "wanna implement m_size?" >How-To-Repeat: There's no crash, just a code cleanup. >Fix: Apply this patch to remove the for-loop calculating the length of the mbuf chain, and just trust m->mh_len. Index: if_ether.c =================================================================== RCS file: /project/cvs/FreeBSD/src/sys/netinet/if_ether.c,v retrieving revision 1.68 diff -u -r1.68 if_ether.c --- if_ether.c 2000/03/29 07:50:39 1.68 +++ if_ether.c 2000/04/09 03:28:43 @@ -434,7 +434,7 @@ { register struct mbuf *m, *m0; register struct arphdr *ar; - int s, ml; + int s; while (arpintrq.ifq_head) { s = splimp(); @@ -442,7 +442,14 @@ splx(s); if (m == 0 || (m->m_flags & M_PKTHDR) == 0) panic("arpintr"); - + + if (m->mh_len < sizeof(struct arphdr) + 2 * ar->ar_hln + + 2 * ar->ar_pln) { + log(LOG_ERR, "arp: runt packet\n"); + m_freem(m); + continue; + } + if (m->m_len < sizeof(struct arphdr) && ((m = m_pullup(m, sizeof(struct arphdr))) == NULL)) { log(LOG_ERR, "arp: runt packet -- m_pullup failed\n"); @@ -455,20 +462,6 @@ log(LOG_ERR, "arp: unknown hardware address format (0x%2D)\n", (unsigned char *)&ar->ar_hrd, ""); - m_freem(m); - continue; - } - - m0 = m; - ml = 0; - while (m0 != NULL) { - ml += m0->m_len; /* wanna implement m_size?? */ - m0 = m0->m_next; - } - - if (ml < sizeof(struct arphdr) + 2 * ar->ar_hln - + 2 * ar->ar_pln) { - log(LOG_ERR, "arp: runt packet\n"); m_freem(m); continue; } >Release-Note: >Audit-Trail: >Unformatted: To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-bugs" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200004090334.WAA05395>