diff options
| author | kbyanc <kbyanc@FreeBSD.org> | 2002-05-07 22:14:06 +0000 |
|---|---|---|
| committer | kbyanc <kbyanc@FreeBSD.org> | 2002-05-07 22:14:06 +0000 |
| commit | cc607e6c2d164e9cb79d2fdec151a8c3a151be83 (patch) | |
| tree | 1011805115056aee5a327edbdc2edbd88f8dd3e5 /sys/netinet | |
| parent | 890d39a38cddebc8d4ce58feba2c0be1ee5e44f6 (diff) | |
| download | FreeBSD-src-cc607e6c2d164e9cb79d2fdec151a8c3a151be83.zip FreeBSD-src-cc607e6c2d164e9cb79d2fdec151a8c3a151be83.tar.gz | |
Move ISO88025 source routing information into sockaddr_dl's sdl_data
field. This returns the sdl_data field to a variable-length field. More
importantly, this prevents a easily-reproduceable data-corruption bug when
the interface name plus the hardware address exceed the sdl_data field's
original 12 byte limit. However, token-ring interfaces may still overflow
the new sdl_data field's 46 byte limit if the interface name exceeds 6
characters (since 6 characters for interface name plus 6 for hardware
address plus 34 for source routing = the size of sdl_data). Further
refinements could overcome this limitation but would break binary
compatibility; this commit only addresses fixing the bug for
commonly-occuring cases without breaking binary compatibility with the
intention that the functionality can be MFC'ed to -stable.
See message ID's (both send to -arch):
20020421013332.F87395-100000@gateway.posi.net
20020430181359.G11009-300000@gateway.posi.net
for a more thorough description of the bug addressed and how to
reproduce it.
Approved by: silence on -arch and -net
Sponsored by: NTT Multimedia Communications Labs
MFC after: 1 week
Diffstat (limited to 'sys/netinet')
| -rw-r--r-- | sys/netinet/if_ether.c | 15 |
1 files changed, 7 insertions, 8 deletions
diff --git a/sys/netinet/if_ether.c b/sys/netinet/if_ether.c index 6a87a5e..6c8b75a 100644 --- a/sys/netinet/if_ether.c +++ b/sys/netinet/if_ether.c @@ -571,6 +571,7 @@ in_arpinput(m) struct ether_header *eh; struct arc_header *arh; struct iso88025_header *th = (struct iso88025_header *)0; + struct iso88025_sockaddr_dl_data *trld; register struct llinfo_arp *la = 0; register struct rtentry *rt; struct ifaddr *ifa; @@ -697,7 +698,6 @@ match: } (void)memcpy(LLADDR(sdl), ar_sha(ah), sdl->sdl_alen = ah->ar_hln); - sdl->sdl_rcf = (u_short)0; /* * If we receive an arp from a token-ring station over * a token-ring nic then try to save the source @@ -705,13 +705,14 @@ match: */ if (ifp->if_type == IFT_ISO88025) { th = (struct iso88025_header *)m->m_pkthdr.header; + trld = SDL_ISO88025(sdl); rif_len = TR_RCF_RIFLEN(th->rcf); if ((th->iso88025_shost[0] & TR_RII) && (rif_len > 2)) { - sdl->sdl_rcf = th->rcf; - sdl->sdl_rcf ^= htons(TR_RCF_DIR); - memcpy(sdl->sdl_route, th->rd, rif_len - 2); - sdl->sdl_rcf &= ~htons(TR_RCF_BCST_MASK); + trld->trld_rcf = th->rcf; + trld->trld_rcf ^= htons(TR_RCF_DIR); + memcpy(trld->trld_route, th->rd, rif_len - 2); + trld->trld_rcf &= ~htons(TR_RCF_BCST_MASK); /* * Set up source routing information for * reply packet (XXX) @@ -725,9 +726,7 @@ match: m->m_data -= 8; m->m_len += 8; m->m_pkthdr.len += 8; - th->rcf = sdl->sdl_rcf; - } else { - sdl->sdl_rcf = (u_short)0; + th->rcf = trld->trld_rcf; } if (rt->rt_expire) rt->rt_expire = time_second + arpt_keep; |
