Skip site navigation (1)Skip section navigation (2) 
Date:      Fri, 13 Apr 2007 12:45:02 GMT
From:      Thomas Karcher<thkarcher@gmx.de>
To:        freebsd-gnats-submit@FreeBSD.org
Subject:   kern/111537: [patch] ip6_input() treats mbuf cluster wrong
Message-ID:  <200704131245.l3DCj2x3094100@www.freebsd.org>
Resent-Message-ID: <200704131300.l3DD09XY080780@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help 

>Number:         111537
>Category:       kern
>Synopsis:       [patch] ip6_input() treats mbuf cluster wrong
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    freebsd-bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Fri Apr 13 13:00:09 GMT 2007
>Closed-Date:
>Last-Modified:
>Originator:     Thomas Karcher
>Release:        RELENG_6_2_0_RELEASE
>Organization:
>Environment:
>Description:

In ip6_input() after line 294, a bunch of code takes care of copying the mbuf/mbuf cluster to a more KAME conform mbuf/mbuf cluster - but in my opinion, it does it not completely right ...

In line 318, the m_copydata() call works only if the new mbuf n is "just" an mbuf and not an mbuf cluster. See the solution what I mean.
>How-To-Repeat:

>Fix:
I think the code should look like this:

 318                 if (n && n->m_pkthdr.len > MHLEN) {
 319                         m_copydata(m, 0, n->m_pkthdr.len, n->m_ext.ext_buf);
 320                         n->m_data = n->m_ext.ext_buf;
 321                 } else {
 322                         m_copydata(m, 0, n->m_pkthdr.len, mtod(n, caddr_t));
 323                 }

Please find a diff attached.


Patch attached with submission follows:

Index: netinet6/ip6_input.c
===================================================================
--- netinet6/ip6_input.c	(revision 576)
+++ netinet6/ip6_input.c	(working copy)
@@ -315,7 +315,12 @@
 			return;	/* ENOBUFS */
 		}
 
-		m_copydata(m, 0, n->m_pkthdr.len, mtod(n, caddr_t));
+		if (n && n->m_pkthdr.len > MHLEN) {
+			m_copydata(m, 0, n->m_pkthdr.len, n->m_ext.ext_buf);
+			n->m_data = n->m_ext.ext_buf;
+		} else {
+			m_copydata(m, 0, n->m_pkthdr.len, mtod(n, caddr_t));
+		}
 		n->m_len = n->m_pkthdr.len;
 		m_freem(m);
 		m = n;

>Release-Note:
>Audit-Trail:
>Unformatted:

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200704131245.l3DCj2x3094100>