diff options
author | shin <shin@FreeBSD.org> | 2000-02-09 00:34:40 +0000 |
---|---|---|
committer | shin <shin@FreeBSD.org> | 2000-02-09 00:34:40 +0000 |
commit | fdb3a7064446f1bdec12175ccc5ede0c628a9443 (patch) | |
tree | c670f48251601d48d3e9c06b427683f160c9bc71 /sys/netinet | |
parent | 49c2b4c16d1c8ee55f0216d9dca570beb62a2907 (diff) | |
download | FreeBSD-src-fdb3a7064446f1bdec12175ccc5ede0c628a9443.zip FreeBSD-src-fdb3a7064446f1bdec12175ccc5ede0c628a9443.tar.gz |
Avoid kernel panic when tcp rfc1323 and rfc1644 options are enabled
at the same time.
When rfc1323 and rfc1644 option are enabled by sysctl,
and tcp over IPv6 is tried, kernel panic happens by the
following check in tcp_output(), because now hdrlen is bigger
in such case than before.
/*#ifdef DIAGNOSTIC*/
if (max_linkhdr + hdrlen > MHLEN)
panic("tcphdr too big");
/*#endif*/
So change the above check to compare with MCLBYTES in #ifdef INET6 case.
Also, allocate a mbuf cluster for the header mbuf, in that case.
Bug reported at KAME environment.
Approved by: jkh
Reviewed by: sumikawa
Obtained from: KAME project
Diffstat (limited to 'sys/netinet')
-rw-r--r-- | sys/netinet/tcp_output.c | 17 |
1 files changed, 13 insertions, 4 deletions
diff --git a/sys/netinet/tcp_output.c b/sys/netinet/tcp_output.c index bbae03f..ae85e84 100644 --- a/sys/netinet/tcp_output.c +++ b/sys/netinet/tcp_output.c @@ -530,8 +530,13 @@ send: } /*#ifdef DIAGNOSTIC*/ +#ifdef INET6 + if (max_linkhdr + hdrlen > MCLBYTES) + panic("tcphdr too big"); +#else if (max_linkhdr + hdrlen > MHLEN) panic("tcphdr too big"); +#endif /*#endif*/ /* @@ -567,10 +572,14 @@ send: goto out; } #ifdef INET6 - if (isipv6 && (MHLEN < hdrlen + max_linkhdr) && - MHLEN >= hdrlen) { - MH_ALIGN(m, hdrlen); - } else + if (MHLEN < hdrlen + max_linkhdr) { + MCLGET(m, M_DONTWAIT); + if ((m->m_flags & M_EXT) == 0) { + m_freem(m); + error = ENOBUFS; + goto out; + } + } #endif m->m_data += max_linkhdr; m->m_len = hdrlen; |