Date: Tue, 25 Aug 2009 12:32:16 +0000 (UTC) From: "Bjoern A. Zeeb" <bz@FreeBSD.org> To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-stable@freebsd.org, svn-src-stable-7@freebsd.org Subject: svn commit: r196538 - in stable/7/sys: . contrib/pf kern Message-ID: <200908251232.n7PCWGt1027748@svn.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: bz Date: Tue Aug 25 12:32:16 2009 New Revision: 196538 URL: http://svn.freebsd.org/changeset/base/196538 Log: MFC r182842: Catch a possible NULL pointer deref in case the offsets got mangled somehow. As a consequence we may now get an unexpected result(*). Catch that error cases with a well defined panic giving appropriate pointers to ease debugging. (*) While the concensus was that the case should never happen unless there was a bug, noone was definitively sure. Modified: stable/7/sys/ (props changed) stable/7/sys/contrib/pf/ (props changed) stable/7/sys/kern/uipc_sockbuf.c Modified: stable/7/sys/kern/uipc_sockbuf.c ============================================================================== --- stable/7/sys/kern/uipc_sockbuf.c Tue Aug 25 11:44:17 2009 (r196537) +++ stable/7/sys/kern/uipc_sockbuf.c Tue Aug 25 12:32:16 2009 (r196538) @@ -930,11 +930,13 @@ sbsndptr(struct sockbuf *sb, u_int off, /* Advance by len to be as close as possible for the next transmit. */ for (off = off - sb->sb_sndptroff + len - 1; - off > 0 && off >= m->m_len; + off > 0 && m != NULL && off >= m->m_len; m = m->m_next) { sb->sb_sndptroff += m->m_len; off -= m->m_len; } + if (off > 0 && m == NULL) + panic("%s: sockbuf %p and mbuf %p clashing", __func__, sb, ret); sb->sb_sndptr = m; return (ret);
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200908251232.n7PCWGt1027748>