1:33 PM - OpenBSD security
This is an interesting read. The patch is very small.
http://secunia.com/advisories/24490/
Index: sys/kern/uipc_mbuf2.c
===================================================================
RCS file: /cvs/src/sys/kern/uipc_mbuf2.c,v
retrieving revision 1.24
retrieving revision 1.24.2.1
diff -u -p -r1.24 -r1.24.2.1
--- sys/kern/uipc_mbuf2.c 17 Mar 2006 04:15:51 -0000 1.24
+++ sys/kern/uipc_mbuf2.c 7 Mar 2007 19:21:48 -0000 1.24.2.1
@@ -1,4 +1,4 @@
-/* $OpenBSD: uipc_mbuf2.c,v 1.24 2006/03/17 04:15:51 brad Exp $ */
+/* $OpenBSD: uipc_mbuf2.c,v 1.24.2.1 2007/03/07 19:21:48 deraadt Exp $ */
/* $KAME: uipc_mbuf2.c,v 1.29 2001/02/14 13:42:10 itojun Exp $ */
/* $NetBSD: uipc_mbuf.c,v 1.40 1999/04/01 00:23:25 thorpej Exp $ */
@@ -226,16 +226,14 @@ m_dup1(struct mbuf *m, int off, int len,
{
struct mbuf *n;
int l;
- int copyhdr;
if (len > MCLBYTES)
return (NULL);
if (off == 0 && (m->m_flags & M_PKTHDR) != 0) {
- copyhdr = 1;
MGETHDR(n, wait, m->m_type);
+ M_DUP_PKTHDR(n, m);
l = MHLEN;
} else {
- copyhdr = 0;
MGET(n, wait, m->m_type);
l = MLEN;
}
@@ -249,8 +247,6 @@ m_dup1(struct mbuf *m, int off, int len,
if (!n)
return (NULL);
- if (copyhdr)
- M_DUP_PKTHDR(n, m);
m_copydata(m, off, len, mtod(n, caddr_t));
n->m_len = len;
This isn't the first time they've had a problem though:
http://secunia.com/advisories/10801/
I reviewed MidnightBSD code. Our handling is a bit different.
static struct mbuf *
m_dup1(struct mbuf *m, int off, int len, int wait)
{
struct mbuf *n;
int copyhdr;
if (len > MCLBYTES)
return NULL;
if (off == 0 && (m->m_flags & M_PKTHDR) != 0)
copyhdr = 1;
else
copyhdr = 0;
if (len >= MINCLSIZE) {
if (copyhdr == 1)
n = m_getcl(wait, m->m_type, M_PKTHDR);
else
n = m_getcl(wait, m->m_type, 0);
} else {
if (copyhdr == 1)
n = m_gethdr(wait, m->m_type);
else
n = m_get(wait, m->m_type);
}
if (!n)
return NULL; /* ENOBUFS */
if (copyhdr && !m_dup_pkthdr(n, m, wait)) {
m_free(n);
return NULL;
}
m_copydata(m, off, len, mtod(n, caddr_t));
n->m_len = len;
return n;
}