diff options
| author | bz <bz@FreeBSD.org> | 2008-10-15 19:24:18 +0000 |
|---|---|---|
| committer | bz <bz@FreeBSD.org> | 2008-10-15 19:24:18 +0000 |
| commit | 88b6e9b1ce4768d42b09994526b9b4baad3a46e5 (patch) | |
| tree | b23d390f40e4c153860553774ce1d6a8caa626b3 /sys | |
| parent | 48c0c8f51a6cadba9f95ea7aad9da6c817c20499 (diff) | |
| download | FreeBSD-src-88b6e9b1ce4768d42b09994526b9b4baad3a46e5.zip FreeBSD-src-88b6e9b1ce4768d42b09994526b9b4baad3a46e5.tar.gz | |
Check that the mbuf len is positive (like we do in the v4 case).
Read the other way round this means that even with the checks
the m_len turned negative in some cases which led to panics.
The reason to my understanding seems to be that the checks are wrong
(also for v4) ignoring possible padding when checking cmsg_len or
padding after data when adjusting the mbuf.
Doing proper cheks seems to break applications like named so
further investigation and regression tests are needed.
PR: kern/119123
Tested by: Ashish Shukla wahjava gmail.com
MFC after: 3 days
Diffstat (limited to 'sys')
| -rw-r--r-- | sys/netinet6/ip6_output.c | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/sys/netinet6/ip6_output.c b/sys/netinet6/ip6_output.c index 311d772..fb7162f 100644 --- a/sys/netinet6/ip6_output.c +++ b/sys/netinet6/ip6_output.c @@ -2820,7 +2820,7 @@ ip6_setpktopts(struct mbuf *control, struct ip6_pktopts *opt, if (control->m_next) return (EINVAL); - for (; control->m_len; control->m_data += CMSG_ALIGN(cm->cmsg_len), + for (; control->m_len > 0; control->m_data += CMSG_ALIGN(cm->cmsg_len), control->m_len -= CMSG_ALIGN(cm->cmsg_len)) { int error; |
