Date: Mon, 21 Oct 2002 15:04:41 -0700 (PDT) From: Brian Lai <junwen_lai@yahoo.com> To: freebsd-gnats-submit@FreeBSD.org Subject: misc/44361: possible raw socket bug Message-ID: <200210212204.g9LM4fAB026694@www.freebsd.org>
next in thread | raw e-mail | index | archive | help
>Number: 44361 >Category: misc >Synopsis: possible raw socket bug >Confidential: no >Severity: critical >Priority: high >Responsible: freebsd-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: sw-bug >Submitter-Id: current-users >Arrival-Date: Mon Oct 21 15:10:02 PDT 2002 >Closed-Date: >Last-Modified: >Originator: Brian Lai >Release: 4.5 >Organization: no >Environment: FreeBSD 4.5-RELEASE >Description: look at rip_output@sys/netinet/raw_ip.c, ip->ip_len, which is in network byte order, is compared against m->m_pkthdr.len which is in host byte order. This bug is found when I am developing a user level TCP/IP stack. As far as I know, this bug exits in 4.7 and 5.0-CURRENT. >How-To-Repeat: >Fix: add ---------------- NTOHS(ip->ip_len); NTOHS(ip->ip_off); ---------------- after ---------------- } else { if (m->m_pkthdr.len > IP_MAXPACKET) { m_freem(m); return(EMSGSIZE); } ip = mtod(m, struct ip *); ---------------- >Release-Note: >Audit-Trail: >Unformatted: To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-bugs" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200210212204.g9LM4fAB026694>