MidnightBSD Developer Journal

Thu, 15 Mar 2007

1:33 PM - OpenBSD security

This is an interesting read. The patch is very small.
http://secunia.com/advisories/24490/

Index: sys/kern/uipc_mbuf2.c
===================================================================
RCS file: /cvs/src/sys/kern/uipc_mbuf2.c,v
retrieving revision 1.24
retrieving revision 1.24.2.1
diff -u -p -r1.24 -r1.24.2.1
--- sys/kern/uipc_mbuf2.c17 Mar 2006 04:15:51 -00001.24
+++ sys/kern/uipc_mbuf2.c7 Mar 2007 19:21:48 -00001.24.2.1
@@ -1,4 +1,4 @@
-/*$OpenBSD: uipc_mbuf2.c,v 1.24 2006/03/17 04:15:51 brad Exp $*/
+/*$OpenBSD: uipc_mbuf2.c,v 1.24.2.1 2007/03/07 19:21:48 deraadt Exp $*/
/*$KAME: uipc_mbuf2.c,v 1.29 2001/02/14 13:42:10 itojun Exp $*/
/*$NetBSD: uipc_mbuf.c,v 1.40 1999/04/01 00:23:25 thorpej Exp $*/

@@ -226,16 +226,14 @@ m_dup1(struct mbuf *m, int off, int len,
{
struct mbuf *n;
int l;
-int copyhdr;

if (len > MCLBYTES)
return (NULL);
if (off == 0 && (m->m_flags & M_PKTHDR) != 0) {
-copyhdr = 1;
MGETHDR(n, wait, m->m_type);
+M_DUP_PKTHDR(n, m);
l = MHLEN;
} else {
-copyhdr = 0;
MGET(n, wait, m->m_type);
l = MLEN;
}
@@ -249,8 +247,6 @@ m_dup1(struct mbuf *m, int off, int len,
if (!n)
return (NULL);

-if (copyhdr)
-M_DUP_PKTHDR(n, m);
m_copydata(m, off, len, mtod(n, caddr_t));
n->m_len = len;


This isn't the first time they've had a problem though:
http://secunia.com/advisories/10801/

I reviewed MidnightBSD code. Our handling is a bit different.

static struct mbuf *
m_dup1(struct mbuf *m, int off, int len, int wait)
{
struct mbuf *n;
int copyhdr;

if (len > MCLBYTES)
return NULL;

if (off == 0 && (m->m_flags & M_PKTHDR) != 0)
copyhdr = 1;
else
copyhdr = 0;

if (len >= MINCLSIZE) {
if (copyhdr == 1)
n = m_getcl(wait, m->m_type, M_PKTHDR);
else
n = m_getcl(wait, m->m_type, 0);
} else {
if (copyhdr == 1)
n = m_gethdr(wait, m->m_type);
else
n = m_get(wait, m->m_type);
}

if (!n)
return NULL; /* ENOBUFS */

if (copyhdr && !m_dup_pkthdr(n, m, wait)) {
m_free(n);
return NULL;
}
m_copydata(m, off, len, mtod(n, caddr_t));
n->m_len = len;
return n;
}
1 comments
Add Comment

Comments

(no subject)

userlaffer1
Mon, 19 Mar 2007 00:00:00 +0000

There appears to be another OpenBSD patch for IPv6. I'll have to look at that later.