Skip site navigation (1)Skip section navigation (2)
Date:      Sun, 11 Jan 2004 00:50:37 +0100
From:      Andre Oppermann <andre@freebsd.org>
To:        David Gilbert <dgilbert@dclg.ca>, freebsd-net@freebsd.org, freebsd-current@freebsd.org
Subject:   Re: off-by-one error in ip_fragment, recently.
Message-ID:  <40008FCD.90525A33@freebsd.org>
References:  <16384.14322.83258.940369@canoe.dclg.ca> <40008783.330FAFF4@freebsd.org>

next in thread | previous in thread | raw e-mail | index | archive | help
Andre Oppermann wrote:
> 
> David Gilbert wrote:
> >
> > I just updated a machine that uses GRE to -CURRENT.  Upon rebooting,
> > the debugger stopped at the following:
> >
> > "panic: m_copym, offset > size of mbuf chain"
> 
> There are two possible ways this can happen:  The function m_copym
> was called with off == 0, or off == m->m_len.  Neither is supposed
> to happen (obviously) so the bug must be in ip_fragment.  Lets have
> a look at that next...

There seems to be a bug in m_copym() anyway, but it's not the one
you trip over because we are getting into the while loop again.

However if off == m_len it would not break and trash *m for a panic
a few lines later.

-- 
Andre


Index: uipc_mbuf.c
===================================================================
RCS file: /home/ncvs/src/sys/kern/uipc_mbuf.c,v
retrieving revision 1.124
diff -u -p -r1.124 uipc_mbuf.c
--- uipc_mbuf.c 25 Dec 2003 01:17:27 -0000      1.124
+++ uipc_mbuf.c 10 Jan 2004 23:47:36 -0000
@@ -199,7 +199,7 @@ m_copym(struct mbuf *m, int off0, int le
                copyhdr = 1;
        while (off > 0) {
                KASSERT(m != NULL, ("m_copym, offset > size of mbuf chain"));
-               if (off < m->m_len)
+               if (off <= m->m_len)
                        break;
                off -= m->m_len;
                m = m->m_next;



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?40008FCD.90525A33>