Patch from Greg Ansley:
In rare cases, when the filter specified accesses an multi-byte value that is split across mbuf's, the value loaded is incorrect. And if you are very unlucky (like me) it will index off the end of the mbuf and into an unallocated page and panic the system. If you look at the code you will discover the the index *k* is added to the pointer *cp* and the used AGAIN as a subscript.
This commit is contained in:
David Greenman
parent
1fca221ae2
commit
b4fff2ae1a
Notes:
svn2git
2020-12-20 02:59:44 +00:00
svn path=/head/; revision=7543
@ -37,7 +37,7 @@
|
||||
*
|
||||
* @(#)bpf_filter.c 8.1 (Berkeley) 6/10/93
|
||||
*
|
||||
* $Id$
|
||||
* $Id: bpf_filter.c,v 1.3 1994/08/02 07:45:58 davidg Exp $
|
||||
*/
|
||||
|
||||
#include <sys/param.h>
|
||||
@ -112,14 +112,14 @@ m_xword(m, k, err)
|
||||
switch (len - k) {
|
||||
|
||||
case 1:
|
||||
return (cp[k] << 24) | (np[0] << 16) | (np[1] << 8) | np[2];
|
||||
return (cp[0] << 24) | (np[0] << 16) | (np[1] << 8) | np[2];
|
||||
|
||||
case 2:
|
||||
return (cp[k] << 24) | (cp[k + 1] << 16) | (np[0] << 8) |
|
||||
return (cp[0] << 24) | (cp[1] << 16) | (np[0] << 8) |
|
||||
np[1];
|
||||
|
||||
default:
|
||||
return (cp[k] << 24) | (cp[k + 1] << 16) | (cp[k + 2] << 8) |
|
||||
return (cp[0] << 24) | (cp[1] << 16) | (cp[2] << 8) |
|
||||
np[0];
|
||||
}
|
||||
bad:
|
||||
@ -153,7 +153,7 @@ m_xhalf(m, k, err)
|
||||
if (m0 == 0)
|
||||
goto bad;
|
||||
*err = 0;
|
||||
return (cp[k] << 8) | mtod(m0, u_char *)[0];
|
||||
return (cp[0] << 8) | mtod(m0, u_char *)[0];
|
||||
bad:
|
||||
*err = 1;
|
||||
return 0;
|
||||
|
||||
Loading…
Reference in New Issue
Block a user