m_dup1() copies the packet header and allocates the mbuf cluster in the

wrong order. M_DUP_PKTHDR needs to be called with an empty mbuf.
Allocating an mbuf cluster beforehand is not allowed as the resulting mbuf is
no longer considered empty (part of the header is initialized).
The correct order is to allocate an mbuf via MGETHDR(), copy the packet header
and as last step allocate the cluster.
Issue found by JINMEI Tatuya.
OK canacar@ deraadt@ mglocker@ additional input itojun@

1 files changed, 2 insertions, 6 deletions

diff --git a/sys/kern/uipc_mbuf2.c b/sys/kern/uipc_mbuf2.c
index 68c10a969d5..9a3ac666564 100644
--- a/sys/kern/uipc_mbuf2.c
+++ b/sys/kern/uipc_mbuf2.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: uipc_mbuf2.c,v 1.26 2007/01/03 18:39:56 claudio Exp $	*/
+/*	$OpenBSD: uipc_mbuf2.c,v 1.27 2007/02/26 20:15:33 claudio Exp $	*/
 /*	$KAME: uipc_mbuf2.c,v 1.29 2001/02/14 13:42:10 itojun Exp $	*/
 /*	$NetBSD: uipc_mbuf.c,v 1.40 1999/04/01 00:23:25 thorpej Exp $	*/
 
@@ -226,16 +226,14 @@ m_dup1(struct mbuf *m, int off, int len, int wait)
 {
 	struct mbuf *n;
 	int l;
-	int copyhdr;
 
 	if (len > MCLBYTES)
 		return (NULL);
 	if (off == 0 && (m->m_flags & M_PKTHDR) != 0) {
-		copyhdr = 1;
 		MGETHDR(n, wait, m->m_type);
+		M_DUP_PKTHDR(n, m);
 		l = MHLEN;
 	} else {
-		copyhdr = 0;
 		MGET(n, wait, m->m_type);
 		l = MLEN;
 	}
@@ -249,8 +247,6 @@ m_dup1(struct mbuf *m, int off, int len, int wait)
 	if (!n)
 		return (NULL);
 
-	if (copyhdr)
-		M_DUP_PKTHDR(n, m);
 	m_copydata(m, off, len, mtod(n, caddr_t));
 	n->m_len = len;