svn commit: r183923 - head/sys/netinet6
Bjoern A. Zeeb
bz at FreeBSD.org
Wed Oct 15 19:24:18 UTC 2008
Author: bz
Date: Wed Oct 15 19:24:18 2008
New Revision: 183923
URL: http://svn.freebsd.org/changeset/base/183923
Log:
Check that the mbuf len is positive (like we do in the v4 case).
Read the other way round this means that even with the checks
the m_len turned negative in some cases which led to panics.
The reason to my understanding seems to be that the checks are wrong
(also for v4) ignoring possible padding when checking cmsg_len or
padding after data when adjusting the mbuf.
Doing proper cheks seems to break applications like named so
further investigation and regression tests are needed.
PR: kern/119123
Tested by: Ashish Shukla wahjava gmail.com
MFC after: 3 days
Modified:
head/sys/netinet6/ip6_output.c
Modified: head/sys/netinet6/ip6_output.c
==============================================================================
--- head/sys/netinet6/ip6_output.c Wed Oct 15 16:58:35 2008 (r183922)
+++ head/sys/netinet6/ip6_output.c Wed Oct 15 19:24:18 2008 (r183923)
@@ -2820,7 +2820,7 @@ ip6_setpktopts(struct mbuf *control, str
if (control->m_next)
return (EINVAL);
- for (; control->m_len; control->m_data += CMSG_ALIGN(cm->cmsg_len),
+ for (; control->m_len > 0; control->m_data += CMSG_ALIGN(cm->cmsg_len),
control->m_len -= CMSG_ALIGN(cm->cmsg_len)) {
int error;
More information about the svn-src-all
mailing list