Source-Changes-HG archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

[src/trunk]: src/sys/net Replace KASSERT by m_pullup. While the ethernet head...



details:   https://anonhg.NetBSD.org/src/rev/9ed54a7f2fd4
branches:  trunk
changeset: 362163:9ed54a7f2fd4
user:      maxv <maxv%NetBSD.org@localhost>
date:      Tue May 29 08:24:59 2018 +0000

description:
Replace KASSERT by m_pullup. While the ethernet header is always there
when the packet was received on a physical interface, it may not be if
the packet was received over L2TP/EtherIP.

In particular, if the inner ethernet header ends up on two separate IP
fragments. Here the KASSERT is triggered, and on !DIAGNOSTIC we corrupt
memory.

Note that this is a widespread problem: a lot of L2 code was written with
the assumption that "most" headers are present in the first mbuf.
Obviously, that's not true if L2 encapsulation is being used.

diffstat:

 sys/net/if_ethersubr.c |  10 +++++++---
 1 files changed, 7 insertions(+), 3 deletions(-)

diffs (36 lines):

diff -r bdb68902a378 -r 9ed54a7f2fd4 sys/net/if_ethersubr.c
--- a/sys/net/if_ethersubr.c    Tue May 29 07:35:39 2018 +0000
+++ b/sys/net/if_ethersubr.c    Tue May 29 08:24:59 2018 +0000
@@ -1,4 +1,4 @@
-/*     $NetBSD: if_ethersubr.c,v 1.266 2018/05/09 06:35:10 maxv Exp $  */
+/*     $NetBSD: if_ethersubr.c,v 1.267 2018/05/29 08:24:59 maxv Exp $  */
 
 /*
  * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
@@ -61,7 +61,7 @@
  */
 
 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: if_ethersubr.c,v 1.266 2018/05/09 06:35:10 maxv Exp $");
+__KERNEL_RCSID(0, "$NetBSD: if_ethersubr.c,v 1.267 2018/05/29 08:24:59 maxv Exp $");
 
 #ifdef _KERNEL_OPT
 #include "opt_inet.h"
@@ -588,12 +588,16 @@
 
        KASSERT(!cpu_intr_p());
        KASSERT((m->m_flags & M_PKTHDR) != 0);
-       KASSERT(m->m_len >= sizeof(*eh));
 
        if ((ifp->if_flags & IFF_UP) == 0) {
                m_freem(m);
                return;
        }
+       if (m->m_len < sizeof(*eh)) {
+               m = m_pullup(m, sizeof(*eh));
+               if (m == NULL)
+                       return;
+       }
 
 #ifdef MBUFTRACE
        m_claimm(m, &ec->ec_rx_mowner);



Home | Main Index | Thread Index | Old Index