Page MenuHomeFreeBSD
Files F106165361

D17909.id50172.diff
No OneTemporary
Actions

D17909.id50172.diff
View Options

Index: sys/netinet/ip_icmp.c
===================================================================
--- sys/netinet/ip_icmp.c
+++ sys/netinet/ip_icmp.c
@@ -309,7 +309,13 @@
if (icmplen < sizeof(struct ip))
goto freeit;
- if (MHLEN > sizeof(struct ip) + ICMP_MINLEN + icmplen)
+ /*
+ * XXX m_align may add up to sizeof(long) - 1 padding bytes. This
+ * logic does not belong here; this is a short-term fix for a buffer
+ * underwrite.
+ */
+ if (MHLEN > (sizeof(struct ip) + ICMP_MINLEN + icmplen +
+ sizeof(long) - 1) & ~(sizeof(long) - 1))
m = m_gethdr(M_NOWAIT, MT_DATA);
else
m = m_getcl(M_NOWAIT, MT_DATA, M_PKTHDR);
@@ -362,6 +368,7 @@
* reply should bypass as well.
*/
m->m_flags |= n->m_flags & M_SKIP_FIREWALL;
+ KASSERT(m->m_data >= M_START(m) + sizeof(struct ip));
m->m_data -= sizeof(struct ip);
m->m_len += sizeof(struct ip);
m->m_pkthdr.len = m->m_len;

File Metadata

Mime Type
text/plain
Expires
Fri, Dec 27, 11:25 AM (9 h, 21 m)
Storage Engine
blob
Storage Format
Raw Data
Storage Handle
15613815
Default Alt Text
D17909.id50172.diff (901 B)

Event Timeline