Module Name: src
Committed By: drochner
Date: Sat Apr 18 12:40:52 UTC 2009
Modified Files:
src/sys/netinet6: ip6_output.c
Log Message:
fix traversing of a control mbuf in the case that a message len
is not aligned wrt CMSG_ALIGN - the length counter drops below 0
in this case which was not checked for,
fixes crashes (with isc_dhcrelay4) reported by Uwe in tech-net
(subject: netbsd5-rc3 crash caused by isc_dhcrelay)
To generate a diff of this commit:
cvs rdiff -u -r1.136 -r1.137 src/sys/netinet6/ip6_output.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
Modified files:
Index: src/sys/netinet6/ip6_output.c
diff -u src/sys/netinet6/ip6_output.c:1.136 src/sys/netinet6/ip6_output.c:1.137
--- src/sys/netinet6/ip6_output.c:1.136 Wed Mar 18 16:00:23 2009
+++ src/sys/netinet6/ip6_output.c Sat Apr 18 12:40:52 2009
@@ -1,4 +1,4 @@
-/* $NetBSD: ip6_output.c,v 1.136 2009/03/18 16:00:23 cegger Exp $ */
+/* $NetBSD: ip6_output.c,v 1.137 2009/04/18 12:40:52 drochner Exp $ */
/* $KAME: ip6_output.c,v 1.172 2001/03/25 09:55:56 itojun Exp $ */
/*
@@ -62,7 +62,7 @@
*/
#include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: ip6_output.c,v 1.136 2009/03/18 16:00:23 cegger Exp $");
+__KERNEL_RCSID(0, "$NetBSD: ip6_output.c,v 1.137 2009/04/18 12:40:52 drochner Exp $");
#include "opt_inet.h"
#include "opt_inet6.h"
@@ -2809,7 +2809,8 @@
if (control->m_next)
return (EINVAL);
- for (; control->m_len; control->m_data += CMSG_ALIGN(cm->cmsg_len),
+ /* XXX if cm->cmsg_len is not aligned, control->m_len can become <0 */
+ for (; control->m_len > 0; control->m_data += CMSG_ALIGN(cm->cmsg_len),
control->m_len -= CMSG_ALIGN(cm->cmsg_len)) {
int error;
