[Bug 222670] Reinitialize mtod derived protocol header pointers in icmp_error after calling m_pullup
bugzilla-noreply at freebsd.org
bugzilla-noreply at freebsd.org
Thu Sep 28 22:15:53 UTC 2017
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=222670
Bug ID: 222670
Summary: Reinitialize mtod derived protocol header pointers in
icmp_error after calling m_pullup
Product: Base System
Version: CURRENT
Hardware: Any
OS: Any
Status: New
Severity: Affects Only Me
Priority: ---
Component: kern
Assignee: freebsd-bugs at FreeBSD.org
Reporter: prabhakar.lakhera at gmail.com
Header pointers needs to be reinitialized in icmp_error after m_pullup calls:
Date: Thu Sep 28 15:06:28 2017 -0700
Reinitialize mtod derived protocol header pointers in icmp_error after
calling m_pullup
diff --git a/sys/netinet/ip_icmp.c b/sys/netinet/ip_icmp.c
index 5983b3386af..4f466236864 100644
--- a/sys/netinet/ip_icmp.c
+++ b/sys/netinet/ip_icmp.c
@@ -237,6 +237,12 @@ icmp_error(struct mbuf *n, int type, int code, uint32_t
dest, int mtu)
if (n->m_len < oiphlen + sizeof(struct tcphdr) &&
((n = m_pullup(n, oiphlen + sizeof(struct tcphdr))) ==
NULL))
goto freeit;
+
+ /*
+ * Reinitialize pointers derived from mbuf data pointer,
+ * after calling m_pullup
+ */
+ oip = mtod(n, struct ip *);
th = (struct tcphdr *)((caddr_t)oip + oiphlen);
tcphlen = th->th_off << 2;
if (tcphlen < sizeof(struct tcphdr))
@@ -248,6 +254,14 @@ icmp_error(struct mbuf *n, int type, int code, uint32_t
dest, int mtu)
if (n->m_len < oiphlen + tcphlen &&
((n = m_pullup(n, oiphlen + tcphlen)) == NULL))
goto freeit;
+
+ /*
+ * Reinitialize pointers derived from mbuf data pointer,
+ * after calling m_pullup
+ */
+ oip = mtod(n, struct ip *);
+ th = (struct tcphdr *)((caddr_t)oip + oiphlen);
+
icmpelen = max(tcphlen, min(V_icmp_quotelen,
ntohs(oip->ip_len) - oiphlen));
} else if (oip->ip_p == IPPROTO_SCTP) {
@@ -262,6 +276,12 @@ icmp_error(struct mbuf *n, int type, int code, uint32_t
dest, int mtu)
if (n->m_len < oiphlen + sizeof(struct sctphdr) &&
(n = m_pullup(n, oiphlen + sizeof(struct sctphdr))) ==
NULL)
goto freeit;
+
+ /*
+ * Reinitialize pointers derived from mbuf data pointer,
+ * after calling m_pullup
+ */
+ oip = mtod(n, struct ip *);
icmpelen = max(sizeof(struct sctphdr),
min(V_icmp_quotelen, ntohs(oip->ip_len) - oiphlen));
sh = (struct sctphdr *)((caddr_t)oip + oiphlen);
@@ -272,7 +292,15 @@ icmp_error(struct mbuf *n, int type, int code, uint32_t
dest, int mtu)
if (n->m_len < oiphlen + sizeof(struct sctphdr) + 8 &&
(n = m_pullup(n, oiphlen + sizeof(struct sctphdr) +
8)) == NULL)
goto freeit;
+
+ /*
+ * Reinitialize pointers derived from mbuf data
pointer,
+ * after calling m_pullup
+ */
+ oip = mtod(n, struct ip *);
+ sh = (struct sctphdr *)((caddr_t)oip + oiphlen);
ch = (struct sctp_chunkhdr *)(sh + 1);
+
if (ch->chunk_type == SCTP_INITIATION) {
icmpelen = max(sizeof(struct sctphdr) + 8,
min(V_icmp_quotelen, ntohs(oip->ip_len) -
oiphlen));
--
You are receiving this mail because:
You are the assignee for the bug.
More information about the freebsd-bugs
mailing list