Catch a possible NULL pointer deref in case the offsets got mangled

somehow. As a consequence we may now get an unexpected result(*). Catch that error cases with a well defined panic giving appropriate pointers to ease debugging. (*) While the concensus was that the case should never happen unless there was a bug, noone was definitively sure. Discussed with: kmacy (about 8 months back) Reviewed by: silby (as part of a larger patch in March) MFC after: 2 months
author: bz <bz@FreeBSD.org> 2008-09-07 13:09:04 +0000
committer: bz <bz@FreeBSD.org> 2008-09-07 13:09:04 +0000
commit: cb1cd5ee09eb37bf756225d7f27b846e17599cf1 (patch)
tree: e02f06a8fce1ee1d7f71298cec045af0a6a96343 /sys/kern/uipc_sockbuf.c
parent: fffe39bcea71473bf99577f1936bf93939e79e24 (diff)
download: FreeBSD-src-cb1cd5ee09eb37bf756225d7f27b846e17599cf1.zip
FreeBSD-src-cb1cd5ee09eb37bf756225d7f27b846e17599cf1.tar.gz
1 files changed, 3 insertions, 1 deletions
diff --git a/sys/kern/uipc_sockbuf.c b/sys/kern/uipc_sockbuf.c
index b730c69..41f5987 100644
--- a/sys/kern/uipc_sockbuf.c
+++ b/sys/kern/uipc_sockbuf.c
@@ -937,11 +937,13 @@ sbsndptr(struct sockbuf *sb, u_int off, u_int len, u_int *moff)
 
 	/* Advance by len to be as close as possible for the next transmit. */
 	for (off = off - sb->sb_sndptroff + len - 1;
-	     off > 0 && off >= m->m_len;
+	     off > 0 && m != NULL && off >= m->m_len;
 	     m = m->m_next) {
 		sb->sb_sndptroff += m->m_len;
 		off -= m->m_len;
 	}
+	if (off > 0 && m == NULL)
+		panic("%s: sockbuf %p and mbuf %p clashing", __func__, sb, ret);
 	sb->sb_sndptr = m;
 
 	return (ret);
author	bz <bz@FreeBSD.org>	2008-09-07 13:09:04 +0000
committer	bz <bz@FreeBSD.org>	2008-09-07 13:09:04 +0000
commit	cb1cd5ee09eb37bf756225d7f27b846e17599cf1 (patch)
tree	e02f06a8fce1ee1d7f71298cec045af0a6a96343 /sys/kern/uipc_sockbuf.c
parent	fffe39bcea71473bf99577f1936bf93939e79e24 (diff)
download	FreeBSD-src-cb1cd5ee09eb37bf756225d7f27b846e17599cf1.zip FreeBSD-src-cb1cd5ee09eb37bf756225d7f27b846e17599cf1.tar.gz