Contributed by deanna on from the errata dept.
m_dup1() copies the packet header and allocates the mbuf cluster in the wrong order. M_DUP_PKTHDR needs to be called with an empty mbuf. Allocating an mbuf cluster beforehand is not allowed as the resulting mbuf is no longer considered empty (part of the header is initialized). The correct order is to allocate an mbuf via MGETHDR(), copy the packet header and as last step allocate the cluster. Issue found by JINMEI Tatuya.
Source patches are available for OpenBSD 3.9 and 4.0.
UPDATE: this has been elevated to a security issue. Using pf(4) to "block in inet6" is an effective workaround until the patch can be installed.
(Comments are closed)
By David Alten (188.8.131.52) on
--- sys/kern/uipc_mbuf2.c 17 Mar 2006 04:15:51 -0000 1.24
+++ sys/kern/uipc_mbuf2.c 7 Mar 2007 19:21:48 -0000 184.108.40.206
By bedazzled (220.127.116.11) on www.awmn.net
It this related with the reliability fix? At first I thought my hardware was faulty, but it works fine since summer... gotta patch now and see how it goes.
ps: The NIC is a classic $5 el-cheapo RealTek 8139, although it fills the bill nicely (94 Mbit/s on iperf bench :D)
By Olli (18.104.22.168) on
By Anonymous Coward (22.214.171.124) on
By Anonymous Coward (126.96.36.199) on
poor reply, anonymous
By Anonymous Coward (188.8.131.52) on