Author: tuexen
Date: Sun Apr 29 18:42:49 2012
New Revision: 234809
URL: http://svn.freebsd.org/changeset/base/234809
Log:
MFC r234459:
Fix a bug where we copy out more data from a mbuf chain that are
ctually in it. This happens when SCTP receives an unknown chunk, which
requires the sending of an ERROR chunk, and there is no final padding but
the chunk is not 4-byte aligned.
Reported by yueting via rwatson@
Modified:
stable/8/sys/netinet/sctp_indata.c
stable/8/sys/netinet/sctp_input.c
Directory Properties:
stable/8/sys/ (props changed)
Modified: stable/8/sys/netinet/sctp_indata.c
==============================================================================
--- stable/8/sys/netinet/sctp_indata.c Sun Apr 29 18:40:41 2012
(r234808)
+++ stable/8/sys/netinet/sctp_indata.c Sun Apr 29 18:42:49 2012
(r234809)
@@ -2746,11 +2746,13 @@ sctp_process_data(struct mbuf **mm, int
phd->param_length =
htons(chk_length +
sizeof(*phd));
SCTP_BUF_LEN(merr) =
sizeof(*phd);
- SCTP_BUF_NEXT(merr) =
SCTP_M_COPYM(m, *offset,
- SCTP_SIZE32(chk_length),
- M_DONTWAIT);
+ SCTP_BUF_NEXT(merr) =
SCTP_M_COPYM(m, *offset, chk_length, M_DONTWAIT);
if (SCTP_BUF_NEXT(merr)) {
- sctp_queue_op_err(stcb,
merr);
+ if
(sctp_pad_lastmbuf(SCTP_BUF_NEXT(merr), SCTP_SIZE32(chk_length) - chk_length,
NULL)) {
+
sctp_m_freem(merr);
+ } else {
+
sctp_queue_op_err(stcb, merr);
+ }
} else {
sctp_m_freem(merr);
}
Modified: stable/8/sys/netinet/sctp_input.c
==============================================================================
--- stable/8/sys/netinet/sctp_input.c Sun Apr 29 18:40:41 2012
(r234808)
+++ stable/8/sys/netinet/sctp_input.c Sun Apr 29 18:42:49 2012
(r234809)
@@ -5461,23 +5461,26 @@ process_control_chunks:
phd->param_type =
htons(SCTP_CAUSE_UNRECOG_CHUNK);
phd->param_length = htons(chk_length +
sizeof(*phd));
SCTP_BUF_LEN(mm) = sizeof(*phd);
- SCTP_BUF_NEXT(mm) = SCTP_M_COPYM(m,
*offset, SCTP_SIZE32(chk_length),
- M_DONTWAIT);
+ SCTP_BUF_NEXT(mm) = SCTP_M_COPYM(m,
*offset, chk_length, M_DONTWAIT);
if (SCTP_BUF_NEXT(mm)) {
+ if
(sctp_pad_lastmbuf(SCTP_BUF_NEXT(mm), SCTP_SIZE32(chk_length) - chk_length,
NULL)) {
+ sctp_m_freem(mm);
+ } else {
#ifdef SCTP_MBUF_LOGGING
- if
(SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_MBUF_LOGGING_ENABLE) {
- struct mbuf *mat;
+ if
(SCTP_BASE_SYSCTL(sctp_logging_level) & SCTP_MBUF_LOGGING_ENABLE) {
+ struct mbuf
*mat;
- mat = SCTP_BUF_NEXT(mm);
- while (mat) {
- if
(SCTP_BUF_IS_EXTENDED(mat)) {
-
sctp_log_mb(mat, SCTP_MBUF_ICOPY);
+ mat =
SCTP_BUF_NEXT(mm);
+ while (mat) {
+ if
(SCTP_BUF_IS_EXTENDED(mat)) {
+
sctp_log_mb(mat, SCTP_MBUF_ICOPY);
+ }
+ mat =
SCTP_BUF_NEXT(mat);
}
- mat =
SCTP_BUF_NEXT(mat);
}
- }
#endif
- sctp_queue_op_err(stcb, mm);
+ sctp_queue_op_err(stcb,
mm);
+ }
} else {
sctp_m_freem(mm);
}
_______________________________________________
svn-src-all@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/svn-src-all
To unsubscribe, send any mail to "svn-src-all-unsubscr...@freebsd.org"
