[src/netbsd-3-0]: src/sys/net Pull up following revision(s) (requested by ost...

[ghen <ghen%NetBSD.org@localhost>]

details:   https://anonhg.NetBSD.org/src/rev/64f58bbe9643
branches:  netbsd-3-0
changeset: 579311:64f58bbe9643
user:      ghen <ghen%NetBSD.org@localhost>
date:      Mon Oct 23 17:48:12 2006 +0000

description:
Pull up following revision(s) (requested by oster in ticket #1539):
        sys/net/bpf_filter.c: revision 1.32
It is not sufficient for MINDEX to just 'return 0' if the MINDEX macro
is going to be used from within m_xhalf() and m_xword().  In using
MINDEX in those cases, we must set *err to '1' *before* calling MINDEX
just in case MINDEX does decide to 'return', and causes the function
to return 0 with an un-set err value.  A consequence of this fix is
that we can cleanup a couple of (now) unneeded goto's.  Problem found
by inspection whilst searching for the cause of a different panic.
Also: pavel@ noted the following:
                                if (merr != 0)
                                        return 0;
was missing from after a call to m_xhalf(), so fix that too.
src/regress/sys/net/bpf/out-of-bounds now passes the regression test.
Ok'ed by pavel@.

diffstat:

 sys/net/bpf_filter.c |  18 ++++++++----------
 1 files changed, 8 insertions(+), 10 deletions(-)

diffs (76 lines):

diff -r deb9838b3273 -r 64f58bbe9643 sys/net/bpf_filter.c
--- a/sys/net/bpf_filter.c      Mon Oct 16 22:06:21 2006 +0000
+++ b/sys/net/bpf_filter.c      Mon Oct 23 17:48:12 2006 +0000
@@ -1,4 +1,4 @@
-/*     $NetBSD: bpf_filter.c,v 1.21 2005/02/26 22:45:09 perry Exp $    */
+/*     $NetBSD: bpf_filter.c,v 1.21.12.1 2006/10/23 17:48:12 ghen Exp $        */
 
 /*-
  * Copyright (c) 1990, 1991, 1992, 1993, 1994, 1995, 1996, 1997
@@ -37,7 +37,7 @@
  */
 
 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: bpf_filter.c,v 1.21 2005/02/26 22:45:09 perry Exp $");
+__KERNEL_RCSID(0, "$NetBSD: bpf_filter.c,v 1.21.12.1 2006/10/23 17:48:12 ghen Exp $");
 
 #if 0
 #if !(defined(lint) || defined(KERNEL))
@@ -94,6 +94,7 @@
        u_char *cp, *np;
        struct mbuf *m0;
 
+       *err = 1;
        MINDEX(len, m, k);
        cp = mtod(m, u_char *) + k;
        if (len - k >= 4) {
@@ -102,7 +103,7 @@
        }
        m0 = m->m_next;
        if (m0 == 0 || m0->m_len + len - k < 4)
-               goto bad;
+               return 0;
        *err = 0;
        np = mtod(m0, u_char *);
        switch (len - k) {
@@ -116,9 +117,6 @@
        default:
                return (cp[0] << 24) | (cp[1] << 16) | (cp[2] << 8) | np[0];
        }
-    bad:
-       *err = 1;
-       return 0;
 }
 
 static int
@@ -130,6 +128,7 @@
        u_char *cp;
        struct mbuf *m0;
 
+       *err = 1;
        MINDEX(len, m, k);
        cp = mtod(m, u_char *) + k;
        if (len - k >= 2) {
@@ -138,12 +137,9 @@
        }
        m0 = m->m_next;
        if (m0 == 0)
-               goto bad;
+               return 0;
        *err = 0;
        return (cp[0] << 8) | mtod(m0, u_char *)[0];
- bad:
-       *err = 1;
-       return 0;
 }
 #else /* _KERNEL */
 #include <stdlib.h>
@@ -219,6 +215,8 @@
                                if (buflen != 0)
                                        return 0;
                                A = m_xhalf((struct mbuf *)p, k, &merr);
+                               if (merr != 0)
+                                       return 0;
                                continue;
 #else
                                return 0;