Date: Sun, 29 Apr 2012 18:42:49 +0000 (UTC) From: Michael Tuexen <tuexen@FreeBSD.org> To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-stable@freebsd.org, svn-src-stable-8@freebsd.org Subject: svn commit: r234809 - stable/8/sys/netinet Message-ID: <201204291842.q3TIgnc7027187@svn.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: tuexen Date: Sun Apr 29 18:42:49 2012 New Revision: 234809 URL: http://svn.freebsd.org/changeset/base/234809 Log: MFC r234459: Fix a bug where we copy out more data from a mbuf chain that are ctually in it. This happens when SCTP receives an unknown chunk, which requires the sending of an ERROR chunk, and there is no final padding but the chunk is not 4-byte aligned. Reported by yueting via rwatson@ Modified: stable/8/sys/netinet/sctp_indata.c stable/8/sys/netinet/sctp_input.c Directory Properties: stable/8/sys/ (props changed) Modified: stable/8/sys/netinet/sctp_indata.c ============================================================================== --- stable/8/sys/netinet/sctp_indata.c Sun Apr 29 18:40:41 2012 (r234808) +++ stable/8/sys/netinet/sctp_indata.c Sun Apr 29 18:42:49 2012 (r234809) @@ -2746,11 +2746,13 @@ sctp_process_data(struct mbuf **mm, int phd->param_length = htons(chk_length + sizeof(*phd)); SCTP_BUF_LEN(merr) = sizeof(*phd); - SCTP_BUF_NEXT(merr) = SCTP_M_COPYM(m, *offset, - SCTP_SIZE32(chk_length), - M_DONTWAIT); + SCTP_BUF_NEXT(merr) = SCTP_M_COPYM(m, *offset, chk_length, M_DONTWAIT); if (SCTP_BUF_NEXT(merr)) { - sctp_queue_op_err(stcb, merr); + if (sctp_pad_lastmbuf(SCTP_BUF_NEXT(merr), SCTP_SIZE32(chk_length) - chk_length, NULL)) { + sctp_m_freem(merr); + } else { + sctp_queue_op_err(stcb, merr); + } } else { sctp_m_freem(merr); } Modified: stable/8/sys/netinet/sctp_input.c ============================================================================== --- stable/8/sys/netinet/sctp_input.c Sun Apr 29 18:40:41 2012 (r234808) +++ stable/8/sys/netinet/sctp_input.c Sun Apr 29 18:42:49 2012 (r234809) @@ -5461,23 +5461,26 @@ process_control_chunks: phd->param_type = htons(SCTP_CAUSE_UNRECOG_CHUNK); phd->param_length = htons(chk_length + sizeof(*phd)); SCTP_BUF_LEN(mm) = sizeof(*phd); - SCTP_BUF_NEXT(mm) = SCTP_M_COPYM(m, *offset, SCTP_SIZE32(chk_length), - M_DONTWAIT); + SCTP_BUF_NEXT(mm) = SCTP_M_COPYM(m, *offset, chk_length, M_DONTWAIT); if (SCTP_BUF_NEXT(mm)) { + if (sctp_pad_lastmbuf(SCTP_BUF_NEXT(mm), SCTP_SIZE32(chk_length) - chk_length, NULL)) { + sctp_m_freem(mm); + } else { #ifdef SCTP_MBUF_LOGGING - if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_MBUF_LOGGING_ENABLE) { - struct mbuf *mat; + if (SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_MBUF_LOGGING_ENABLE) { + struct mbuf *mat; - mat = SCTP_BUF_NEXT(mm); - while (mat) { - if (SCTP_BUF_IS_EXTENDED(mat)) { - sctp_log_mb(mat, SCTP_MBUF_ICOPY); + mat = SCTP_BUF_NEXT(mm); + while (mat) { + if (SCTP_BUF_IS_EXTENDED(mat)) { + sctp_log_mb(mat, SCTP_MBUF_ICOPY); + } + mat = SCTP_BUF_NEXT(mat); } - mat = SCTP_BUF_NEXT(mat); } - } #endif - sctp_queue_op_err(stcb, mm); + sctp_queue_op_err(stcb, mm); + } } else { sctp_m_freem(mm); }
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201204291842.q3TIgnc7027187>