Re: off-by-one error in ip_fragment, recently.

From: Andre Oppermann <andre_at_freebsd.org>
Date: Sun, 11 Jan 2004 00:50:37 +0100
Andre Oppermann wrote:
> 
> David Gilbert wrote:
> >
> > I just updated a machine that uses GRE to -CURRENT.  Upon rebooting,
> > the debugger stopped at the following:
> >
> > "panic: m_copym, offset > size of mbuf chain"
> 
> There are two possible ways this can happen:  The function m_copym
> was called with off == 0, or off == m->m_len.  Neither is supposed
> to happen (obviously) so the bug must be in ip_fragment.  Lets have
> a look at that next...

There seems to be a bug in m_copym() anyway, but it's not the one
you trip over because we are getting into the while loop again.

However if off == m_len it would not break and trash *m for a panic
a few lines later.

-- 
Andre


Index: uipc_mbuf.c
===================================================================
RCS file: /home/ncvs/src/sys/kern/uipc_mbuf.c,v
retrieving revision 1.124
diff -u -p -r1.124 uipc_mbuf.c
--- uipc_mbuf.c 25 Dec 2003 01:17:27 -0000      1.124
+++ uipc_mbuf.c 10 Jan 2004 23:47:36 -0000
_at__at_ -199,7 +199,7 _at__at_ m_copym(struct mbuf *m, int off0, int le
                copyhdr = 1;
        while (off > 0) {
                KASSERT(m != NULL, ("m_copym, offset > size of mbuf chain"));
-               if (off < m->m_len)
+               if (off <= m->m_len)
                        break;
                off -= m->m_len;
                m = m->m_next;
Received on Sat Jan 10 2004 - 14:51:52 UTC

This archive was generated by hypermail 2.4.0 : Wed May 19 2021 - 11:37:37 UTC