Module Name: src
Committed By: snj
Date: Mon Apr 20 22:56:04 UTC 2009
Modified Files:
src/sys/netinet6 [netbsd-5]: ip6_output.c
Log Message:
Pull up following revision(s) (requested by drochner in ticket #713):
sys/netinet6/ip6_output.c: revision 1.137
fix traversing of a control mbuf in the case that a message len
is not aligned wrt CMSG_ALIGN - the length counter drops below 0
in this case which was not checked for,
fixes crashes (with isc_dhcrelay4) reported by Uwe in tech-net
(subject: netbsd5-rc3 crash caused by isc_dhcrelay)
To generate a diff of this commit:
cvs rdiff -u -r1.135 -r1.135.2.1 src/sys/netinet6/ip6_output.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
Modified files:
Index: src/sys/netinet6/ip6_output.c
diff -u src/sys/netinet6/ip6_output.c:1.135 src/sys/netinet6/ip6_output.c:1.135.2.1
--- src/sys/netinet6/ip6_output.c:1.135 Mon Oct 27 20:03:07 2008
+++ src/sys/netinet6/ip6_output.c Mon Apr 20 22:56:04 2009
@@ -1,4 +1,4 @@
-/* $NetBSD: ip6_output.c,v 1.135 2008/10/27 20:03:07 plunky Exp $ */
+/* $NetBSD: ip6_output.c,v 1.135.2.1 2009/04/20 22:56:04 snj Exp $ */
/* $KAME: ip6_output.c,v 1.172 2001/03/25 09:55:56 itojun Exp $ */
/*
@@ -62,7 +62,7 @@
*/
#include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: ip6_output.c,v 1.135 2008/10/27 20:03:07 plunky Exp $");
+__KERNEL_RCSID(0, "$NetBSD: ip6_output.c,v 1.135.2.1 2009/04/20 22:56:04 snj Exp $");
#include "opt_inet.h"
#include "opt_inet6.h"
@@ -2809,7 +2809,8 @@
if (control->m_next)
return (EINVAL);
- for (; control->m_len; control->m_data += CMSG_ALIGN(cm->cmsg_len),
+ /* XXX if cm->cmsg_len is not aligned, control->m_len can become <0 */
+ for (; control->m_len > 0; control->m_data += CMSG_ALIGN(cm->cmsg_len),
control->m_len -= CMSG_ALIGN(cm->cmsg_len)) {
int error;
