kern/128134: src/sys/netinet - crc32c calculation at sctp_crc32.c
Yehuda Sadeh Weinraub
yehudasa at gmail.com
Thu Oct 16 01:10:02 UTC 2008
>Number: 128134
>Category: kern
>Synopsis: src/sys/netinet - crc32c calculation at sctp_crc32.c
>Confidential: no
>Severity: serious
>Priority: medium
>Responsible: freebsd-bugs
>State: open
>Quarter:
>Keywords:
>Date-Required:
>Class: sw-bug
>Submitter-Id: current-users
>Arrival-Date: Thu Oct 16 01:10:01 UTC 2008
>Closed-Date:
>Last-Modified:
>Originator: Yehuda Sadeh Weinraub
>Release: FreeBSD 7.1-BETA i386
>Organization:
-
>Environment:
>Description:
It looks like there is some bug in the crc32c calculation at sctp_crc32.c.
The update_crc32() does the following:
...
offset = ((uintptr_t) buffer) & 0x3;
return (sctp_crc32c_sb8_64_bit(crc32c, buffer, length, offset));
Now, note that it passes the 'offset' parameter. However, the
sctp_crc32c_sb8_64_bit() treats the 4th parameter as init_bytes. This is
wrong. Also it does the following:
running_length = ((length - init_bytes) / 8) * 8;
Now, if init_bytes is 3 and length is 1, running_length will overlap.
The following patch seems to fix it.
Yehuda
>How-To-Repeat:
>Fix:
--- a/src/common/sctp_crc32.c
+++ b/src/common/sctp_crc32.c
@@ -518,12 +518,18 @@ static uint32_t sctp_crc32c_sb8_64_bit(uint32_t crc,
unsigned char const *p_buf,
uint32_t length,
- uint32_t init_bytes)
+ uint32_t offset)
{
uint32_t li;
uint32_t term1, term2;
uint32_t running_length;
uint32_t end_bytes;
+ uint32_t init_bytes;
+
+ init_bytes = (4-offset) & 0x3;
+
+ if (init_bytes > length)
+ init_bytes = length;
running_length = ((length - init_bytes) / 8) * 8;
end_bytes = length - init_bytes - running_length;
>Release-Note:
>Audit-Trail:
>Unformatted:
More information about the freebsd-bugs
mailing list