summaryrefslogtreecommitdiff
path: root/sys
diff options
context:
space:
mode:
authorClaudio Jeker <claudio@cvs.openbsd.org>2007-02-26 20:15:34 +0000
committerClaudio Jeker <claudio@cvs.openbsd.org>2007-02-26 20:15:34 +0000
commit84f0e3fb0e0476e81f2041e5d66c828b1c8248fc (patch)
treeb2ee7567750ee4e0ac081344b6efaaf488b8ca1a /sys
parent17e4175597285a64de9d6b17755635d5e0b6c429 (diff)
m_dup1() copies the packet header and allocates the mbuf cluster in the
wrong order. M_DUP_PKTHDR needs to be called with an empty mbuf. Allocating an mbuf cluster beforehand is not allowed as the resulting mbuf is no longer considered empty (part of the header is initialized). The correct order is to allocate an mbuf via MGETHDR(), copy the packet header and as last step allocate the cluster. Issue found by JINMEI Tatuya. OK canacar@ deraadt@ mglocker@ additional input itojun@
Diffstat (limited to 'sys')
-rw-r--r--sys/kern/uipc_mbuf2.c8
1 files changed, 2 insertions, 6 deletions
diff --git a/sys/kern/uipc_mbuf2.c b/sys/kern/uipc_mbuf2.c
index 68c10a969d5..9a3ac666564 100644
--- a/sys/kern/uipc_mbuf2.c
+++ b/sys/kern/uipc_mbuf2.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: uipc_mbuf2.c,v 1.26 2007/01/03 18:39:56 claudio Exp $ */
+/* $OpenBSD: uipc_mbuf2.c,v 1.27 2007/02/26 20:15:33 claudio Exp $ */
/* $KAME: uipc_mbuf2.c,v 1.29 2001/02/14 13:42:10 itojun Exp $ */
/* $NetBSD: uipc_mbuf.c,v 1.40 1999/04/01 00:23:25 thorpej Exp $ */
@@ -226,16 +226,14 @@ m_dup1(struct mbuf *m, int off, int len, int wait)
{
struct mbuf *n;
int l;
- int copyhdr;
if (len > MCLBYTES)
return (NULL);
if (off == 0 && (m->m_flags & M_PKTHDR) != 0) {
- copyhdr = 1;
MGETHDR(n, wait, m->m_type);
+ M_DUP_PKTHDR(n, m);
l = MHLEN;
} else {
- copyhdr = 0;
MGET(n, wait, m->m_type);
l = MLEN;
}
@@ -249,8 +247,6 @@ m_dup1(struct mbuf *m, int off, int len, int wait)
if (!n)
return (NULL);
- if (copyhdr)
- M_DUP_PKTHDR(n, m);
m_copydata(m, off, len, mtod(n, caddr_t));
n->m_len = len;