diff options
| author | luigi <luigi@FreeBSD.org> | 2016-01-27 02:08:30 +0000 |
|---|---|---|
| committer | luigi <luigi@FreeBSD.org> | 2016-01-27 02:08:30 +0000 |
| commit | 7860e04138c66d208ac2fa347703113261c0b120 (patch) | |
| tree | 6803f2ad971a06000a9b9cc93e2fed21d258d0a2 /sys/netpfil | |
| parent | bda9fd0b43dbaa6b84cf8ec8e36f97987ab92249 (diff) | |
| download | FreeBSD-src-7860e04138c66d208ac2fa347703113261c0b120.zip FreeBSD-src-7860e04138c66d208ac2fa347703113261c0b120.tar.gz | |
bugfix: the scheduler template (dn_schk) for the round robin scheduler
is followed by another structure (rr_schk) whose size must be set
in the schk_datalen field of the descriptor.
Not allocating the memory may cause other memory to be overwritten
(though dn_schk is 192 bytes and rr_schk only 12 so we may be lucky
and end up in the padding after the dn_schk).
This is a merge candidate for stable and 10.3
MFC after: 3 days
Diffstat (limited to 'sys/netpfil')
| -rw-r--r-- | sys/netpfil/ipfw/dn_sched_rr.c | 3 |
1 files changed, 2 insertions, 1 deletions
diff --git a/sys/netpfil/ipfw/dn_sched_rr.c b/sys/netpfil/ipfw/dn_sched_rr.c index 63e525a..16649a8 100644 --- a/sys/netpfil/ipfw/dn_sched_rr.c +++ b/sys/netpfil/ipfw/dn_sched_rr.c @@ -294,7 +294,7 @@ static struct dn_alg rr_desc = { _SI( .name = ) "RR", _SI( .flags = ) DN_MULTIQUEUE, - _SI( .schk_datalen = ) 0, + _SI( .schk_datalen = ) sizeof(struct rr_schk), _SI( .si_datalen = ) sizeof(struct rr_si), _SI( .q_datalen = ) sizeof(struct rr_queue) - sizeof(struct dn_queue), @@ -311,5 +311,6 @@ static struct dn_alg rr_desc = { _SI( .free_queue = ) rr_free_queue, }; +_Static_assert(sizeof(struct dn_schk) < 193, "a"); DECLARE_DNSCHED_MODULE(dn_rr, &rr_desc); |
