Date: Wed, 15 Oct 2008 19:24:18 +0000 (UTC) From: "Bjoern A. Zeeb" <bz@FreeBSD.org> To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-head@freebsd.org Subject: svn commit: r183923 - head/sys/netinet6 Message-ID: <200810151924.m9FJOIlW041309@svn.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: bz Date: Wed Oct 15 19:24:18 2008 New Revision: 183923 URL: http://svn.freebsd.org/changeset/base/183923 Log: Check that the mbuf len is positive (like we do in the v4 case). Read the other way round this means that even with the checks the m_len turned negative in some cases which led to panics. The reason to my understanding seems to be that the checks are wrong (also for v4) ignoring possible padding when checking cmsg_len or padding after data when adjusting the mbuf. Doing proper cheks seems to break applications like named so further investigation and regression tests are needed. PR: kern/119123 Tested by: Ashish Shukla wahjava gmail.com MFC after: 3 days Modified: head/sys/netinet6/ip6_output.c Modified: head/sys/netinet6/ip6_output.c ============================================================================== --- head/sys/netinet6/ip6_output.c Wed Oct 15 16:58:35 2008 (r183922) +++ head/sys/netinet6/ip6_output.c Wed Oct 15 19:24:18 2008 (r183923) @@ -2820,7 +2820,7 @@ ip6_setpktopts(struct mbuf *control, str if (control->m_next) return (EINVAL); - for (; control->m_len; control->m_data += CMSG_ALIGN(cm->cmsg_len), + for (; control->m_len > 0; control->m_data += CMSG_ALIGN(cm->cmsg_len), control->m_len -= CMSG_ALIGN(cm->cmsg_len)) { int error;
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200810151924.m9FJOIlW041309>