Subject: Re: kern/32928: bpf filter can fail to extract a 32-bit quantity
To: None <kern-bug-people@netbsd.org, gnats-admin@netbsd.org,>
From: Pavel Cahyna <pavel.cahyna@st.mff.cuni.cz>
List: netbsd-bugs
Date: 02/25/2006 13:45:02
The following reply was made to PR kern/32928; it has been noted by GNATS.
From: Pavel Cahyna <pavel.cahyna@st.mff.cuni.cz>
To: Rui Paulo <rpaulo@fnop.net>
Cc: gnats-bugs@netbsd.org
Subject: Re: kern/32928: bpf filter can fail to extract a 32-bit quantity
Date: Sat, 25 Feb 2006 14:42:50 +0100
On Sat, Feb 25, 2006 at 12:51:33PM +0000, Rui Paulo wrote:
> --- bpf_filter.c.~1.29.~ 2006-02-10 20:08:13.000000000 +0000
> +++ bpf_filter.c 2006-02-25 12:51:07.000000000 +0000
> @@ -98,9 +98,13 @@ m_xword(struct mbuf *m, uint32_t k, int
> *err = 0;
> return EXTRACT_LONG(cp);
> }
> - m0 = m->m_next;
> - if (m0 == 0 || m0->m_len + len - k < 4)
> - goto bad;
> +
> + for (m0 = m->m_next; ; m0 = m0->next) {
> + if (m0 == 0)
> + goto bad;
> + if (m0->m_len + len - k >= 4)
> + break;
> + }
Sorry, I don't see how this is supposed to work. This would skip the short
mbuf(s) and read different data than it is supposed to.
BTW I'm planning to reorganize this code a bit... I just wanted to know if
this is an actual bug and if calling m_xhalf twice would be OK.