[Bug 193005] New: [patch] m_copymdata() doesn't copy data properly
bugzilla-noreply at freebsd.org
bugzilla-noreply at freebsd.org
Tue Aug 26 02:27:40 UTC 2014
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=193005
Bug ID: 193005
Summary: [patch] m_copymdata() doesn't copy data properly
Product: Base System
Version: 10.0-STABLE
Hardware: Any
OS: Any
Status: Needs Triage
Severity: Affects Some People
Priority: Normal
Component: kern
Assignee: freebsd-bugs at FreeBSD.org
Reporter: keithr at freebsd.keithr.com
Created attachment 146286
--> https://bugs.freebsd.org/bugzilla/attachment.cgi?id=146286&action=edit
Patch for the problems described in this bug.
There are several problems with m_copymdata() that prevent it from working
properly. The first one is always fatal, the others cause it to copy
improperly in specific cases.
1. The m_bcopyxxx() function interprets its arguments in the incorrect order,
so it copies from the destination buffer to the source.
2. Because a pointer to the destination buffer is passed through m_apply() to
m_bcopyxxx(), if the source spans multiple mbufs, the contents of each source
mbuf will be copied to the same place in the destination mbuf, rather than
being concatenated.
3. In some places m_copymdata() checks for M_PKTHDR before performing pkthdr
manipulations, but in other places it does not.
4. In the shortcut that is taken if data is being appended and the last mbuf
has enough free space, the m_pkthdr.len field of the last mbuf in the chain is
incremented. The correct thing to do in this case is to increment m_pkthdr.len
in the first mbuf in the chain.
I have attached a patch that provides one approach to fixing these problems.
The fix for problem 2 involved changing m_bcopyxxx() to take a pointer to the
destination mbuf, determine the destination within its buffer to copy into, and
increment its m_len by the amount copied. It does not check that there is
enough space in the destination; the code in m_copymdata() that passes
m_bcopyxxx to m_apply() ensures that there is enough space.
--
You are receiving this mail because:
You are the assignee for the bug.
More information about the freebsd-bugs
mailing list