https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=271843
John Baldwin <[email protected]> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |[email protected] Status|New |In Progress Assignee|[email protected] |[email protected] --- Comment #1 from John Baldwin <[email protected]> --- Hmm, looking at the code in question, almost all of the fsm handlers have this bug in one form or fashion, e.g.: static void FsmRecvConfigReq(struct fsm *fp, struct fsmheader *lhp, struct mbuf *bp) /* RCR */ { struct fsm_decode dec; int plen, flen; int ackaction = 0; u_char *cp; bp = m_pullup(bp); plen = m_length(bp); flen = ntohs(lhp->length) - sizeof *lhp; if (plen < flen) { log_Printf(LogWARN, "%s: FsmRecvConfigReq: plen (%d) < flen (%d)\n", fp->link->name, plen, flen); m_freem(bp); return; } It seems to me that probably fsm_Input should reject any message whose length is less than the size of the header. It already does this if the packet is too small, and I think that will fix this type of bug in multiple handlers, not just FsmRecvEchoReq(). -- You are receiving this mail because: You are the assignee for the bug.
