From owner-freebsd-hackers Mon Jun 23 05:20:14 1997 Return-Path: Received: (from root@localhost) by hub.freebsd.org (8.8.5/8.8.5) id FAA00832 for hackers-outgoing; Mon, 23 Jun 1997 05:20:14 -0700 (PDT) Received: from gateway.cam-ani.co.uk (gateway.cam-ani.co.uk [193.195.55.1]) by hub.freebsd.org (8.8.5/8.8.5) with SMTP id FAA00827 for ; Mon, 23 Jun 1997 05:20:03 -0700 (PDT) Received: from louie by gateway.cam-ani.co.uk (CAS1.1) id AA14067; Mon, 23 Jun 97 13:19:52 +0100 Received: from dumbo.cam-ani.co.uk (dumbo [192.42.172.34]) by louie.cam-ani.co.uk (8.7.5/8.7.3) with SMTP id NAA04824 for ; Mon, 23 Jun 1997 13:19:51 +0100 (BST) Message-Id: <199706231219.NAA04824@louie.cam-ani.co.uk> Received: by dumbo.cam-ani.co.uk (NX5.67f2/NX3.0X) id AA02830; Mon, 23 Jun 97 13:19:50 +0100 Content-Type: text/plain Mime-Version: 1.0 (NeXT Mail 3.3 v118.2) X-Nextstep-Mailer: Mail 3.3 (Enhance 2.0b5) Received: by NeXT.Mailer (1.118.2) From: Ian Stephenson Date: Mon, 23 Jun 97 13:19:48 +0100 To: freebsd-hackers@FreeBSD.ORG Subject: BPF bug Sender: owner-hackers@FreeBSD.ORG X-Loop: FreeBSD.org Precedence: bulk In FreeBSD-current/src/sys/net/bpf.c static void catchpacket(d, pkt, pktlen, snaplen, cpfn) register struct bpf_d *d; register u_char *pkt; register u_int pktlen, snaplen; register void (*cpfn)(const void *, void *, u_int); { register struct bpf_hdr *hp; register int totlen, curlen; register int hdrlen = d->bd_bif->bif_hdrlen; /* * Figure out how many bytes to move. If the packet is * greater or equal to the snapshot length, transfer that * much. Otherwise, transfer the whole packet (unless * we hit the buffer size limit). */ totlen = hdrlen + min(snaplen, pktlen); ... } appears to be doing a signed comparison of insigned ints. This definately crashes in 2.1.6 (I can't upgrade yet, so can't verify this is still a problem) when snaplen = 0xffffffff. replacing totlen = hdrlen + min(snaplen, pktlen); with if(snaplen < pktlen) totlen = hdrlen + snaplen; else totlen = hdrlen + pktlen; fixes the problem for me... $an