From 84f0e3fb0e0476e81f2041e5d66c828b1c8248fc Mon Sep 17 00:00:00 2001 From: Claudio Jeker Date: Mon, 26 Feb 2007 20:15:34 +0000 Subject: m_dup1() copies the packet header and allocates the mbuf cluster in the wrong order. M_DUP_PKTHDR needs to be called with an empty mbuf. Allocating an mbuf cluster beforehand is not allowed as the resulting mbuf is no longer considered empty (part of the header is initialized). The correct order is to allocate an mbuf via MGETHDR(), copy the packet header and as last step allocate the cluster. Issue found by JINMEI Tatuya. OK canacar@ deraadt@ mglocker@ additional input itojun@ --- sys/kern/uipc_mbuf2.c | 8 ++------ 1 file changed, 2 insertions(+), 6 deletions(-) (limited to 'sys') diff --git a/sys/kern/uipc_mbuf2.c b/sys/kern/uipc_mbuf2.c index 68c10a969d5..9a3ac666564 100644 --- a/sys/kern/uipc_mbuf2.c +++ b/sys/kern/uipc_mbuf2.c @@ -1,4 +1,4 @@ -/* $OpenBSD: uipc_mbuf2.c,v 1.26 2007/01/03 18:39:56 claudio Exp $ */ +/* $OpenBSD: uipc_mbuf2.c,v 1.27 2007/02/26 20:15:33 claudio Exp $ */ /* $KAME: uipc_mbuf2.c,v 1.29 2001/02/14 13:42:10 itojun Exp $ */ /* $NetBSD: uipc_mbuf.c,v 1.40 1999/04/01 00:23:25 thorpej Exp $ */ @@ -226,16 +226,14 @@ m_dup1(struct mbuf *m, int off, int len, int wait) { struct mbuf *n; int l; - int copyhdr; if (len > MCLBYTES) return (NULL); if (off == 0 && (m->m_flags & M_PKTHDR) != 0) { - copyhdr = 1; MGETHDR(n, wait, m->m_type); + M_DUP_PKTHDR(n, m); l = MHLEN; } else { - copyhdr = 0; MGET(n, wait, m->m_type); l = MLEN; } @@ -249,8 +247,6 @@ m_dup1(struct mbuf *m, int off, int len, int wait) if (!n) return (NULL); - if (copyhdr) - M_DUP_PKTHDR(n, m); m_copydata(m, off, len, mtod(n, caddr_t)); n->m_len = len; -- cgit v1.2.3