Subject: Re: kern/32928: bpf filter can fail to extract a 32-bit quantity
To: None <kern-bug-people@netbsd.org, gnats-admin@netbsd.org,>
From: Pavel Cahyna <pavel.cahyna@st.mff.cuni.cz>
List: netbsd-bugs
Date: 02/25/2006 14:10:03
The following reply was made to PR kern/32928; it has been noted by GNATS.
From: Pavel Cahyna <pavel.cahyna@st.mff.cuni.cz>
To: Rui Paulo <rpaulo@fnop.net>
Cc: gnats-bugs@netbsd.org
Subject: Re: kern/32928: bpf filter can fail to extract a 32-bit quantity
Date: Sat, 25 Feb 2006 15:05:25 +0100
On Sat, Feb 25, 2006 at 01:52:38PM +0000, Rui Paulo wrote:
> > BTW I'm planning to reorganize this code a bit... I just wanted to know if
> > this is an actual bug and if calling m_xhalf twice would be OK.
>
> Alright. IIUC, m_xhalf will never be called twice with the same mbuf,
> but I can be completely wrong and you'll probably correct me :-)
I'm proposing this, so m_xhalf would actually be called twice with the
same mbuf (of course, error handling is unfinished):
Index: bpf_filter.c
===================================================================
RCS file: /home/pavel/cvs/src/sys/net/bpf_filter.c,v
retrieving revision 1.29
diff -u -c -r1.29 bpf_filter.c
cvs diff: conflicting specifications of output style
--- bpf_filter.c 7 Feb 2006 20:10:48 -0000 1.29
+++ bpf_filter.c 25 Feb 2006 14:01:27 -0000
@@ -97,27 +97,10 @@
if (len >= k + 4) {
*err = 0;
return EXTRACT_LONG(cp);
+ } else {
+ return (m_xhalf(m, k, err) << 16) | m_xhalf(m, k+2, err);
}
- m0 = m->m_next;
- if (m0 == 0 || m0->m_len + len - k < 4)
- goto bad;
- *err = 0;
- np = mtod(m0, u_char *);
- switch (len - k) {
-
- case 1:
- return (cp[0] << 24) | (np[0] << 16) | (np[1] << 8) |
np[2];
-
- case 2:
- return (cp[0] << 24) | (cp[1] << 16) | (np[0] << 8) |
np[1];
- default:
- return (cp[0] << 24) | (cp[1] << 16) | (cp[2] << 8) |
np[0];
- }
- bad:
- *err = 1;
-
- return 0;
}
static int