From owner-freebsd-bugs Sat Apr 8 20:30:10 2000 Delivered-To: freebsd-bugs@freebsd.org Received: from freefall.freebsd.org (freefall.FreeBSD.ORG [204.216.27.21]) by hub.freebsd.org (Postfix) with ESMTP id 6E5F937B530 for ; Sat, 8 Apr 2000 20:30:03 -0700 (PDT) (envelope-from gnats@FreeBSD.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.9.3/8.9.2) id UAA11915; Sat, 8 Apr 2000 20:30:02 -0700 (PDT) (envelope-from gnats@FreeBSD.org) Received: from dustdevil.waterspout.com (dustdevil.waterspout.com [208.13.60.151]) by hub.freebsd.org (Postfix) with ESMTP id DD95C37B628 for ; Sat, 8 Apr 2000 20:29:28 -0700 (PDT) (envelope-from csg@dustdevil.waterspout.com) Received: (from csg@localhost) by dustdevil.waterspout.com (8.9.3/8.9.3) id WAA05395; Sat, 8 Apr 2000 22:34:40 -0500 (EST) (envelope-from csg) Message-Id: <200004090334.WAA05395@dustdevil.waterspout.com> Date: Sat, 8 Apr 2000 22:34:40 -0500 (EST) From: "C. Stephen Gunn" Reply-To: csg@dustdevil.waterspout.com To: FreeBSD-gnats-submit@freebsd.org X-Send-Pr-Version: 3.2 Subject: kern/17872: arpintr() fix followup Sender: owner-freebsd-bugs@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org >Number: 17872 >Category: kern >Synopsis: arpintr() fix followup >Confidential: no >Severity: non-critical >Priority: medium >Responsible: freebsd-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: sw-bug >Submitter-Id: current-users >Arrival-Date: Sat Apr 8 20:30:01 PDT 2000 >Closed-Date: >Last-Modified: >Originator: C. Stephen Gunn >Release: FreeBSD 4.0-STABLE i386 >Organization: WaterSpout Communications, Inc. >Environment: FreeBSD 4.0-STABLE, FreeBSD 5-CURRENT >Description: My previous patch to arpintr() does too much work. I incorrectly assumed that since it was wrong to check m->m_len for the length of the entire mbuf chain, (completely forgetting m->mh_len), that I had to do all the work myself. I even made a comment about how silly it was to do all the work with "wanna implement m_size?" >How-To-Repeat: There's no crash, just a code cleanup. >Fix: Apply this patch to remove the for-loop calculating the length of the mbuf chain, and just trust m->mh_len. Index: if_ether.c =================================================================== RCS file: /project/cvs/FreeBSD/src/sys/netinet/if_ether.c,v retrieving revision 1.68 diff -u -r1.68 if_ether.c --- if_ether.c 2000/03/29 07:50:39 1.68 +++ if_ether.c 2000/04/09 03:28:43 @@ -434,7 +434,7 @@ { register struct mbuf *m, *m0; register struct arphdr *ar; - int s, ml; + int s; while (arpintrq.ifq_head) { s = splimp(); @@ -442,7 +442,14 @@ splx(s); if (m == 0 || (m->m_flags & M_PKTHDR) == 0) panic("arpintr"); - + + if (m->mh_len < sizeof(struct arphdr) + 2 * ar->ar_hln + + 2 * ar->ar_pln) { + log(LOG_ERR, "arp: runt packet\n"); + m_freem(m); + continue; + } + if (m->m_len < sizeof(struct arphdr) && ((m = m_pullup(m, sizeof(struct arphdr))) == NULL)) { log(LOG_ERR, "arp: runt packet -- m_pullup failed\n"); @@ -455,20 +462,6 @@ log(LOG_ERR, "arp: unknown hardware address format (0x%2D)\n", (unsigned char *)&ar->ar_hrd, ""); - m_freem(m); - continue; - } - - m0 = m; - ml = 0; - while (m0 != NULL) { - ml += m0->m_len; /* wanna implement m_size?? */ - m0 = m0->m_next; - } - - if (ml < sizeof(struct arphdr) + 2 * ar->ar_hln - + 2 * ar->ar_pln) { - log(LOG_ERR, "arp: runt packet\n"); m_freem(m); continue; } >Release-Note: >Audit-Trail: >Unformatted: To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-bugs" in the body of the message