git: d9f8e8aa11a6 - releng/15.0 - tcp over udp: don't copy more bytes than avaiable
- Go to: [ bottom of page ] [ top of archives ] [ this month ]
Date: Tue, 28 Oct 2025 01:59:11 UTC
The branch releng/15.0 has been updated by cperciva:
URL: https://cgit.FreeBSD.org/src/commit/?id=d9f8e8aa11a611a8d5d7357c8b732aa07cb2b9e0
commit d9f8e8aa11a611a8d5d7357c8b732aa07cb2b9e0
Author: Michael Tuexen <tuexen@FreeBSD.org>
AuthorDate: 2025-10-23 07:24:09 +0000
Commit: Colin Percival <cperciva@FreeBSD.org>
CommitDate: 2025-10-28 01:58:23 +0000
tcp over udp: don't copy more bytes than avaiable
When copying the data in the first mbuf to get rid of the UDP
header, use the correct length. It was copying too much (8 bytes,
the length of the UDP header).
This only applies to handling TCP over UDP packets. The support for
TCP over UDP is disabled by default.
Approved by: re (cperciva)
Reported by: jtl
Reviewed by: Peter Lei
Sponsored by: Netflix, Inc.
(cherry picked from commit bfda98a42027417b2fa74738c63327532013e93b)
(cherry picked from commit c566953da83f0faf8e335aa7a5e54e48107c7e5a)
---
sys/netinet/tcp_subr.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/sys/netinet/tcp_subr.c b/sys/netinet/tcp_subr.c
index c817c79881d6..b6f428b279b3 100644
--- a/sys/netinet/tcp_subr.c
+++ b/sys/netinet/tcp_subr.c
@@ -607,7 +607,7 @@ tcp_recv_udp_tunneled_packet(struct mbuf *m, int off, struct inpcb *inp,
}
}
m->m_pkthdr.tcp_tun_port = port = uh->uh_sport;
- bcopy(th, uh, m->m_len - off);
+ bcopy(th, uh, m->m_len - off - sizeof(struct udphdr));
m->m_len -= sizeof(struct udphdr);
m->m_pkthdr.len -= sizeof(struct udphdr);
/*