From bef9dae05a72866e79d97d9bff3fc5a2538b4421 Mon Sep 17 00:00:00 2001 From: Julian Elischer Date: Tue, 26 Oct 1999 22:33:54 +0000 Subject: [PATCH] cleanups regarding misused m_pullup() and similar. --- sys/netgraph/ng_UI.c | 3 ++- sys/netgraph/ng_frame_relay.c | 2 +- sys/netgraph/ng_lmi.c | 5 ++-- sys/netgraph/ng_pppoe.c | 3 ++- sys/netgraph/ng_rfc1490.c | 3 ++- sys/netgraph/ng_vjc.c | 51 ++++++++++++++++++++--------------- sys/netgraph/ng_vjc.h | 9 ++++--- 7 files changed, 44 insertions(+), 32 deletions(-) diff --git a/sys/netgraph/ng_UI.c b/sys/netgraph/ng_UI.c index 7295b4ae73bb..48078d93e350 100644 --- a/sys/netgraph/ng_UI.c +++ b/sys/netgraph/ng_UI.c @@ -178,7 +178,8 @@ ng_UI_rcvdata(hook_p hook, struct mbuf *m, meta_p meta) if (hook == priv->downlink) { u_char *start, *ptr; - if (!m || !(m = m_pullup(m, MAX_ENCAPS_HDR))) + if (!m || (m->m_len < MAX_ENCAPS_HDR + && !(m = m_pullup(m, MAX_ENCAPS_HDR)))) ERROUT(ENOBUFS); ptr = start = mtod(m, u_char *); diff --git a/sys/netgraph/ng_frame_relay.c b/sys/netgraph/ng_frame_relay.c index 995b769a9fed..97ba1a5b6162 100644 --- a/sys/netgraph/ng_frame_relay.c +++ b/sys/netgraph/ng_frame_relay.c @@ -434,7 +434,7 @@ ngfrm_decode(node_p node, struct mbuf *m, meta_p meta) int error = 0; int ctxnum; - if ((m = m_pullup(m, 4)) == NULL) { + if (m->m_len < 4 && (m = m_pullup(m, 4)) == NULL) { error = ENOBUFS; goto out; } diff --git a/sys/netgraph/ng_lmi.c b/sys/netgraph/ng_lmi.c index a4049986aa81..239bc57843f8 100644 --- a/sys/netgraph/ng_lmi.c +++ b/sys/netgraph/ng_lmi.c @@ -577,8 +577,9 @@ nglmi_rcvdata(hook_p hook, struct mbuf *m, meta_p meta) log(LOG_WARNING, "nglmi: packetlen (%d) too big\n", packetlen); goto drop; } - if ((m = m_pullup(m, packetlen)) == NULL) { - log(LOG_WARNING, "nglmi: m_pullup failed for %d bytes\n", packetlen); + if (m->m_len < packetlen && (m = m_pullup(m, packetlen)) == NULL) { + log(LOG_WARNING, + "nglmi: m_pullup failed for %d bytes\n", packetlen); NG_FREE_META(meta); return (0); } diff --git a/sys/netgraph/ng_pppoe.c b/sys/netgraph/ng_pppoe.c index 65115ef68c75..3f0ff6888a90 100644 --- a/sys/netgraph/ng_pppoe.c +++ b/sys/netgraph/ng_pppoe.c @@ -1144,7 +1144,8 @@ AAA * wants us to offer service. */ neg = sp->neg; - m_pullup(m, sizeof(*wh)); /* Checks length */ + if (m->m_len < sizeof(*wh)) + m_pullup(m, sizeof(*wh)); if (m == NULL) { LEAVE(ENOBUFS); } diff --git a/sys/netgraph/ng_rfc1490.c b/sys/netgraph/ng_rfc1490.c index 3649476f95cc..6bbdc41c6500 100644 --- a/sys/netgraph/ng_rfc1490.c +++ b/sys/netgraph/ng_rfc1490.c @@ -226,7 +226,8 @@ ng_rfc1490_rcvdata(hook_p hook, struct mbuf *m, meta_p meta) if (hook == priv->downlink) { u_char *start, *ptr; - if (!m || !(m = m_pullup(m, MAX_ENCAPS_HDR))) + if (!m || (m->m_len < MAX_ENCAPS_HDR + && !(m = m_pullup(m, MAX_ENCAPS_HDR)))) ERROUT(ENOBUFS); ptr = start = mtod(m, u_char *); diff --git a/sys/netgraph/ng_vjc.c b/sys/netgraph/ng_vjc.c index 9755bd433348..a7f0ec231aea 100644 --- a/sys/netgraph/ng_vjc.c +++ b/sys/netgraph/ng_vjc.c @@ -97,7 +97,7 @@ static int ng_vjc_rcvdata(hook_p hook, struct mbuf *m, meta_p t); static int ng_vjc_disconnect(hook_p hook); /* Helper stuff */ -static struct mbuf *pulluphdrs(struct mbuf *m); +static struct mbuf *ng_vjc_pulluphdrs(struct mbuf *m); /* Node type descriptor */ static struct ng_type typestruct = { @@ -191,18 +191,24 @@ ng_vjc_rcvmsg(node_p node, struct ng_mesg *msg, switch (msg->header.typecookie) { case NGM_VJC_COOKIE: switch (msg->header.cmd) { - case NGM_VJC_CONFIG: + case NGM_VJC_SET_CONFIG: { struct ngm_vjc_config *const c = (struct ngm_vjc_config *) msg->data; - if (msg->header.arglen != sizeof(*c) - || c->numChannels > NG_VJC_MAX_CHANNELS - || c->numChannels < NG_VJC_MIN_CHANNELS) + if (msg->header.arglen != sizeof(*c)) ERROUT(EINVAL); - if (priv->conf.enabled && c->enabled) + if ((priv->conf.enableComp || priv->conf.enableDecomp) + && (c->enableComp || c->enableDecomp)) ERROUT(EALREADY); - if (c->enabled != 0) { + if (c->enableComp) { + if (c->numChannels > NG_VJC_MAX_CHANNELS + || c->numChannels < NG_VJC_MIN_CHANNELS) + ERROUT(EINVAL); + } else { + c->numChannels = NG_VJC_MAX_CHANNELS; + } + if (c->enableComp != 0 || c->enableDecomp != 0) { bzero(&priv->slc, sizeof(priv->slc)); sl_compress_init(&priv->slc, c->numChannels); } @@ -260,12 +266,12 @@ ng_vjc_rcvdata(hook_p hook, struct mbuf *m, meta_p meta) if (hook == priv->ip) { /* outgoing packet */ u_int type; - if (!priv->conf.enabled) /* compression not enabled */ + if (!priv->conf.enableComp) /* compression not enabled */ type = TYPE_IP; else { struct ip *ip; - if ((m = pulluphdrs(m)) == NULL) + if ((m = ng_vjc_pulluphdrs(m)) == NULL) ERROUT(ENOBUFS); ip = mtod(m, struct ip *); type = (ip->ip_p == IPPROTO_TCP) ? @@ -291,15 +297,15 @@ ng_vjc_rcvdata(hook_p hook, struct mbuf *m, meta_p meta) u_char *hdr; struct mbuf *mp; - /* Are we initialized? */ - if (!priv->conf.enabled) { + /* Are we decompressing? */ + if (!priv->conf.enableDecomp) { m_freem(m); m = NULL; ERROUT(ENETDOWN); } /* Uncompress packet to reconstruct TCP/IP header */ - if (!(m = m_pullup(m, MAX_VJHEADER))) + if (m->m_len < MAX_VJHEADER && !(m = m_pullup(m, MAX_VJHEADER))) ERROUT(ENOBUFS); vjlen = sl_uncompress_tcp_core(mtod(m, u_char *), m->m_len, m->m_pkthdr.len, TYPE_COMPRESSED_TCP, @@ -342,18 +348,18 @@ ng_vjc_rcvdata(hook_p hook, struct mbuf *m, meta_p meta) m = mp; hook = priv->ip; } else if (hook == priv->vjuncomp) { /* incoming uncompressed pkt */ - u_int hlen; u_char *hdr; + u_int hlen; - /* Are we initialized? */ - if (!priv->conf.enabled) { + /* Are we decompressing? */ + if (!priv->conf.enableDecomp) { m_freem(m); m = NULL; ERROUT(ENETDOWN); } /* Run packet through uncompressor */ - if ((m = pulluphdrs(m)) == NULL) + if ((m = ng_vjc_pulluphdrs(m)) == NULL) ERROUT(ENOBUFS); if (sl_uncompress_tcp_core(mtod(m, u_char *), m->m_len, m->m_pkthdr.len, TYPE_UNCOMPRESSED_TCP, @@ -410,29 +416,30 @@ ng_vjc_disconnect(hook_p hook) ************************************************************************/ /* - * Pull up the full IP and TCP headers of a packet. This is optimized - * for the common case of standard length headers. If packet is not + * Pull up the full IP and TCP headers of a packet. If packet is not * a TCP packet, just pull up the IP header. */ static struct mbuf * -pulluphdrs(struct mbuf *m) +ng_vjc_pulluphdrs(struct mbuf *m) { struct ip *ip; struct tcphdr *tcp; int ihlen, thlen; - if ((m = m_pullup(m, sizeof(*ip) + sizeof(*tcp))) == NULL) + if (m->m_len < sizeof(*ip) && !(m = m_pullup(m, sizeof(*ip)))) return (NULL); ip = mtod(m, struct ip *); if (ip->ip_p != IPPROTO_TCP) return (m); - if ((ihlen = (ip->ip_hl << 2)) != sizeof(*ip)) { + ihlen = ip->ip_hl << 2; + if (m->m_len < ihlen + sizeof(*tcp)) { if (!(m = m_pullup(m, ihlen + sizeof(*tcp)))) return (NULL); ip = mtod(m, struct ip *); } tcp = (struct tcphdr *) ((u_char *) ip + ihlen); - if ((thlen = (tcp->th_off << 2)) != sizeof(*tcp)) + thlen = tcp->th_off << 2; + if (m->m_len < ihlen + thlen) m = m_pullup(m, ihlen + thlen); return (m); } diff --git a/sys/netgraph/ng_vjc.h b/sys/netgraph/ng_vjc.h index 5067f6add843..5dc22974a3c5 100644 --- a/sys/netgraph/ng_vjc.h +++ b/sys/netgraph/ng_vjc.h @@ -45,7 +45,7 @@ /* Node type name and magic cookie */ #define NG_VJC_NODE_TYPE "vjc" -#define NGM_VJC_COOKIE 868219207 +#define NGM_VJC_COOKIE 868219208 /* Hook names */ #define NG_VJC_HOOK_IP "ip" /* normal IP traffic */ @@ -59,14 +59,15 @@ /* Configure struct */ struct ngm_vjc_config { - u_char enabled; /* Enable compression/decompression */ - u_char numChannels; /* Number of outgoing channels */ + u_char enableComp; /* Enable compression */ + u_char enableDecomp; /* Enable decompression */ + u_char numChannels; /* Number of compression channels */ u_char compressCID; /* OK to compress outgoing CID's */ }; /* Netgraph commands */ enum { - NGM_VJC_CONFIG, /* Supply a struct ngm_vjc_config */ + NGM_VJC_SET_CONFIG, /* Supply a struct ngm_vjc_config */ NGM_VJC_GET_STATE, /* Returns current struct slcompress */ NGM_VJC_CLR_STATS, /* Clears statistics counters */ NGM_VJC_RECV_ERROR, /* Indicate loss of incoming frame */