summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorAlexander Bluhm <bluhm@cvs.openbsd.org>2011-02-05 17:29:06 +0000
committerAlexander Bluhm <bluhm@cvs.openbsd.org>2011-02-05 17:29:06 +0000
commitd1d6ddc24641be41f6a4c4f0027877d244936dc2 (patch)
treeb5fa1bab32d72dd5e62f3671438731e726109c31
parent4515d91db5080342bab395c673d6d8aabc0bb2ef (diff)
When a packet with an unusual protocol number got rewritten, the
header lenght was uninitialized. This resulted in a panic in m_clget(). Initialize hdrlen with 0 and call m_copyback() only if necessary. ok henning@
-rw-r--r--sys/net/pf.c5
1 files changed, 3 insertions, 2 deletions
diff --git a/sys/net/pf.c b/sys/net/pf.c
index 3ddad2188f7..59fd5fd3659 100644
--- a/sys/net/pf.c
+++ b/sys/net/pf.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: pf.c,v 1.722 2011/01/22 11:43:57 bluhm Exp $ */
+/* $OpenBSD: pf.c,v 1.723 2011/02/05 17:29:05 bluhm Exp $ */
/*
* Copyright (c) 2001 Daniel Hartmeier
@@ -3047,7 +3047,7 @@ pf_test_rule(struct pf_rule **rm, struct pf_state **sm, int direction,
}
/* copy back packet headers if we performed NAT operations */
- if (rewrite)
+ if (rewrite && hdrlen)
m_copyback(m, off, hdrlen, pd->hdr.any, M_NOWAIT);
#if NPFSYNC > 0
@@ -5517,6 +5517,7 @@ pf_setup_pdesc(sa_family_t af, int dir, struct pf_pdesc *pd, struct mbuf *m,
if (pd->hdr.any == NULL)
panic("pf_setup_pdesc: no storage for headers provided");
+ *hdrlen = 0;
switch (af) {
#ifdef INET
case AF_INET: {