Date: Mon, 21 Oct 2002 15:04:41 -0700 (PDT) From: Brian Lai <junwen_lai@yahoo.com> To: freebsd-gnats-submit@FreeBSD.org Subject: misc/44361: possible raw socket bug Message-ID: <200210212204.g9LM4fAB026694@www.freebsd.org>
next in thread | raw e-mail | index | archive | help
>Number: 44361
>Category: misc
>Synopsis: possible raw socket bug
>Confidential: no
>Severity: critical
>Priority: high
>Responsible: freebsd-bugs
>State: open
>Quarter:
>Keywords:
>Date-Required:
>Class: sw-bug
>Submitter-Id: current-users
>Arrival-Date: Mon Oct 21 15:10:02 PDT 2002
>Closed-Date:
>Last-Modified:
>Originator: Brian Lai
>Release: 4.5
>Organization:
no
>Environment:
FreeBSD 4.5-RELEASE
>Description:
look at rip_output@sys/netinet/raw_ip.c, ip->ip_len, which is
in network byte order, is compared against m->m_pkthdr.len which is in
host byte order.
This bug is found when I am developing a user level TCP/IP stack.
As far as I know, this bug exits in 4.7 and 5.0-CURRENT.
>How-To-Repeat:
>Fix:
add
----------------
NTOHS(ip->ip_len);
NTOHS(ip->ip_off);
----------------
after
----------------
} else {
if (m->m_pkthdr.len > IP_MAXPACKET) {
m_freem(m);
return(EMSGSIZE);
}
ip = mtod(m, struct ip *);
----------------
>Release-Note:
>Audit-Trail:
>Unformatted:
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-bugs" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200210212204.g9LM4fAB026694>