off-by-one error in ip_fragment, recently.
David Gilbert
dgilbert at dclg.ca
Sun Jan 11 19:47:35 PST 2004
Further in followup to the ip_fragment() bug, at the crash, off =
1500, len = 1480 and ip->ip_len = 21248. So m_copym() is being called
with off > len.
Dave.
--
============================================================================
|David Gilbert, Independent Contractor. | Two things can only be |
|Mail: dave at daveg.ca | equal if and only if they |
|http://daveg.ca | are precisely opposite. |
=========================================================GLO================
More information about the freebsd-current
mailing list