From owner-freebsd-bugs@FreeBSD.ORG Tue Aug 26 02:27:40 2014 Return-Path: Delivered-To: freebsd-bugs@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id ADF6B351 for ; Tue, 26 Aug 2014 02:27:40 +0000 (UTC) Received: from kenobi.freebsd.org (kenobi.freebsd.org [IPv6:2001:1900:2254:206a::16:76]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 7AAF53848 for ; Tue, 26 Aug 2014 02:27:40 +0000 (UTC) Received: from bugs.freebsd.org ([127.0.1.118]) by kenobi.freebsd.org (8.14.9/8.14.9) with ESMTP id s7Q2Rert044722 for ; Tue, 26 Aug 2014 02:27:40 GMT (envelope-from bugzilla-noreply@freebsd.org) From: bugzilla-noreply@freebsd.org To: freebsd-bugs@FreeBSD.org Subject: [Bug 193005] New: [patch] m_copymdata() doesn't copy data properly Date: Tue, 26 Aug 2014 02:27:40 +0000 X-Bugzilla-Reason: AssignedTo X-Bugzilla-Type: new X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: Base System X-Bugzilla-Component: kern X-Bugzilla-Version: 10.0-STABLE X-Bugzilla-Keywords: X-Bugzilla-Severity: Affects Some People X-Bugzilla-Who: keithr@freebsd.keithr.com X-Bugzilla-Status: Needs Triage X-Bugzilla-Priority: Normal X-Bugzilla-Assigned-To: freebsd-bugs@FreeBSD.org X-Bugzilla-Target-Milestone: --- X-Bugzilla-Flags: X-Bugzilla-Changed-Fields: bug_id short_desc product version rep_platform op_sys bug_status bug_severity priority component assigned_to reporter attachments.created Message-ID: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: 7bit X-Bugzilla-URL: https://bugs.freebsd.org/bugzilla/ Auto-Submitted: auto-generated MIME-Version: 1.0 X-BeenThere: freebsd-bugs@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: Bug reports List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 26 Aug 2014 02:27:40 -0000 https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=193005 Bug ID: 193005 Summary: [patch] m_copymdata() doesn't copy data properly Product: Base System Version: 10.0-STABLE Hardware: Any OS: Any Status: Needs Triage Severity: Affects Some People Priority: Normal Component: kern Assignee: freebsd-bugs@FreeBSD.org Reporter: keithr@freebsd.keithr.com Created attachment 146286 --> https://bugs.freebsd.org/bugzilla/attachment.cgi?id=146286&action=edit Patch for the problems described in this bug. There are several problems with m_copymdata() that prevent it from working properly. The first one is always fatal, the others cause it to copy improperly in specific cases. 1. The m_bcopyxxx() function interprets its arguments in the incorrect order, so it copies from the destination buffer to the source. 2. Because a pointer to the destination buffer is passed through m_apply() to m_bcopyxxx(), if the source spans multiple mbufs, the contents of each source mbuf will be copied to the same place in the destination mbuf, rather than being concatenated. 3. In some places m_copymdata() checks for M_PKTHDR before performing pkthdr manipulations, but in other places it does not. 4. In the shortcut that is taken if data is being appended and the last mbuf has enough free space, the m_pkthdr.len field of the last mbuf in the chain is incremented. The correct thing to do in this case is to increment m_pkthdr.len in the first mbuf in the chain. I have attached a patch that provides one approach to fixing these problems. The fix for problem 2 involved changing m_bcopyxxx() to take a pointer to the destination mbuf, determine the destination within its buffer to copy into, and increment its m_len by the amount copied. It does not check that there is enough space in the destination; the code in m_copymdata() that passes m_bcopyxxx to m_apply() ensures that there is enough space. -- You are receiving this mail because: You are the assignee for the bug.