[Bug 193005] New: [patch] m_copymdata() doesn't copy data properly

bugzilla-noreply at freebsd.org bugzilla-noreply at freebsd.org
Tue Aug 26 02:27:40 UTC 2014 

https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=193005

            Bug ID: 193005
           Summary: [patch] m_copymdata() doesn't copy data properly
           Product: Base System
           Version: 10.0-STABLE
          Hardware: Any
                OS: Any
            Status: Needs Triage
          Severity: Affects Some People
          Priority: Normal
         Component: kern
          Assignee: freebsd-bugs at FreeBSD.org
          Reporter: keithr at freebsd.keithr.com

Created attachment 146286
  --> https://bugs.freebsd.org/bugzilla/attachment.cgi?id=146286&action=edit
Patch for the problems described in this bug.

There are several problems with m_copymdata() that prevent it from working
properly.  The first one is always fatal, the others cause it to copy
improperly in specific cases.

1. The m_bcopyxxx() function interprets its arguments in the incorrect order,
so it copies from the destination buffer to the source.
2. Because a pointer to the destination buffer is passed through m_apply() to
m_bcopyxxx(), if the source spans multiple mbufs, the contents of each source
mbuf will be copied to the same place in the destination mbuf, rather than
being concatenated.
3. In some places m_copymdata() checks for M_PKTHDR before performing pkthdr
manipulations, but in other places it does not.
4. In the shortcut that is taken if data is being appended and the last mbuf
has enough free space, the m_pkthdr.len field of the last mbuf in the chain is
incremented.  The correct thing to do in this case is to increment m_pkthdr.len
in the first mbuf in the chain.

I have attached a patch that provides one approach to fixing these problems. 
The fix for problem 2 involved changing m_bcopyxxx() to take a pointer to the
destination mbuf, determine the destination within its buffer to copy into, and
increment its m_len by the amount copied.  It does not check that there is
enough space in the destination; the code in m_copymdata() that passes
m_bcopyxxx to m_apply() ensures that there is enough space.

-- 
You are receiving this mail because:
You are the assignee for the bug.

More information about the freebsd-bugs mailing list