The branch stable/13 has been updated by imp: URL: https://cgit.FreeBSD.org/src/commit/?id=7965d4d9e326373b4669e451d3bd2a7d840c4b5b
commit 7965d4d9e326373b4669e451d3bd2a7d840c4b5b Author: Florian Florensa <[email protected]> AuthorDate: 2023-09-17 14:16:07 +0000 Commit: Warner Losh <[email protected]> CommitDate: 2023-09-17 14:17:51 +0000 net/bpf: Fix writing of buffer bigger than PAGESIZE When allocating the mbuf we used m_get2 which fails if len is superior to MJUMPAGESIZE, if its the case, use m_getjcl instead. Reviewed by: kp@ PR: 205164 Pull Request: https://github.com/freebsd/freebsd-src/pull/131 (cherry picked from commit f13da24715a75ce0fdac31062866877d980aa908) --- sys/net/bpf.c | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-) diff --git a/sys/net/bpf.c b/sys/net/bpf.c index 6656b4aca980..20c26892ce7a 100644 --- a/sys/net/bpf.c +++ b/sys/net/bpf.c @@ -641,7 +641,15 @@ bpf_movein(struct uio *uio, int linktype, struct ifnet *ifp, struct mbuf **mp, if (len < hlen || len - hlen > ifp->if_mtu) return (EMSGSIZE); - m = m_get2(len, M_WAITOK, MT_DATA, M_PKTHDR); + /* Allocate a mbuf for our write, since m_get2 fails if len >= to MJUMPAGESIZE, use m_getjcl for bigger buffers */ + if (len < MJUMPAGESIZE) + m = m_get2(len, M_WAITOK, MT_DATA, M_PKTHDR); + else if (len <= MJUM9BYTES) + m = m_getjcl(M_WAITOK, MT_DATA, M_PKTHDR, MJUM9BYTES); + else if (len <= MJUM16BYTES) + m = m_getjcl(M_WAITOK, MT_DATA, M_PKTHDR, MJUM16BYTES); + else + m = NULL; if (m == NULL) return (EIO); m->m_pkthdr.len = m->m_len = len;
