Module Name: src Committed By: maxv Date: Fri Sep 13 06:39:29 UTC 2019
Modified Files: src/sys/net: bpf.c Log Message: As I suspected, the KASSERT I added yesterday can fire if we try to process zero-sized packets. Skip them to prevent a type confusion that can trigger random page faults later. Reported-by: syzbot+3e447ebdcb2bcfa40...@syzkaller.appspotmail.com To generate a diff of this commit: cvs rdiff -u -r1.230 -r1.231 src/sys/net/bpf.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
Modified files: Index: src/sys/net/bpf.c diff -u src/sys/net/bpf.c:1.230 src/sys/net/bpf.c:1.231 --- src/sys/net/bpf.c:1.230 Thu Sep 12 07:38:19 2019 +++ src/sys/net/bpf.c Fri Sep 13 06:39:29 2019 @@ -1,4 +1,4 @@ -/* $NetBSD: bpf.c,v 1.230 2019/09/12 07:38:19 maxv Exp $ */ +/* $NetBSD: bpf.c,v 1.231 2019/09/13 06:39:29 maxv Exp $ */ /* * Copyright (c) 1990, 1991, 1993 @@ -39,7 +39,7 @@ */ #include <sys/cdefs.h> -__KERNEL_RCSID(0, "$NetBSD: bpf.c,v 1.230 2019/09/12 07:38:19 maxv Exp $"); +__KERNEL_RCSID(0, "$NetBSD: bpf.c,v 1.231 2019/09/13 06:39:29 maxv Exp $"); #if defined(_KERNEL_OPT) #include "opt_bpf.h" @@ -1676,6 +1676,11 @@ _bpf_mtap(struct bpf_if *bp, struct mbuf pktlen = m_length(m); + /* Skip zero-sized packets. */ + if (__predict_false(pktlen == 0)) { + return; + } + if (pktlen == m->m_len) { cpfn = (void *)memcpy; marg = mtod(m, void *);