Synopsis:
NetBSD versions: 1.6.1, 1.6, 1.5.3, 1.5.2, 1.5.1, 1.5
Thanks to: Ignatios Souvatzis
Reported in NetBSD Security Advisory: NetBSD-SA2003-010

Index: sys/netiso/clnp_er.c
===================================================================
RCS file: /cvsroot/src/sys/netiso/clnp_er.c,v
retrieving revision 1.12
retrieving revision 1.13
diff -c -p -r1.12 -r1.13
*** sys/netiso/clnp_er.c        2001/11/13 01:10:46     1.12
--- sys/netiso/clnp_er.c        2003/05/25 08:47:54     1.13
*************** clnp_emit_er(m, reason)
*** 254,260 ****
       struct iso_addr src, dst, *our_addr;
       caddr_t         hoff, hend;
       int             total_len;      /* total len of dg */
-       struct mbuf    *m0;     /* contains er pdu hdr */
       struct iso_ifaddr *ia = 0;

 #ifdef ARGO_DEBUG
--- 254,259 ----
*************** clnp_emit_er(m, reason)
*** 329,340 ****
 #endif

       /* allocate mbuf for er pdu header: punt on no space */
!       MGET(m0, M_DONTWAIT, MT_HEADER);
!       if (m0 == 0)
               goto bad;

!       m0->m_next = m;
!       er = mtod(m0, struct clnp_fixed *);
       *er = er_template;

       /* setup src/dst on er pdu */
--- 328,344 ----
 #endif

       /* allocate mbuf for er pdu header: punt on no space */
!       /*
!        * fixed part, two addresses and their length bytes, and a
!        * 4-byte option
!        */
!
!       M_PREPEND(m, sizeof(struct clnp_fixed) + 4 + 1 + 1 +
!                       src.isoa_len + our_addr->isoa_len, M_DONTWAIT);
!       if (m == 0)
               goto bad;

!       er = mtod(m, struct clnp_fixed *);
       *er = er_template;

       /* setup src/dst on er pdu */
*************** clnp_emit_er(m, reason)
*** 355,374 ****
       *hoff++ = 0;            /* error localization = not specified */

       /* set length */
!       er->cnf_hdr_len = m0->m_len = (u_char) (hoff - (caddr_t) er);
!       total_len = m0->m_len + m->m_len;
       HTOC(er->cnf_seglen_msb, er->cnf_seglen_lsb, total_len);

       /* compute checksum (on header only) */
!       iso_gen_csum(m0, CLNP_CKSUM_OFF, (int) er->cnf_hdr_len);

       /* trim packet if too large for interface */
       if (total_len > ifp->if_mtu)
!               m_adj(m0, -(total_len - ifp->if_mtu));

       /* send packet */
       INCSTAT(cns_er_outhist[clnp_er_index(reason)]);
!       (void) (*ifp->if_output) (ifp, m0, first_hop, route.ro_rt);
       goto done;

 bad:
--- 359,378 ----
       *hoff++ = 0;            /* error localization = not specified */

       /* set length */
!       er->cnf_hdr_len = (u_char) (hoff - (caddr_t) er);
!       total_len = m->m_pkthdr.len;
       HTOC(er->cnf_seglen_msb, er->cnf_seglen_lsb, total_len);

       /* compute checksum (on header only) */
!       iso_gen_csum(m, CLNP_CKSUM_OFF, (int) er->cnf_hdr_len);

       /* trim packet if too large for interface */
       if (total_len > ifp->if_mtu)
!               m_adj(m, -(total_len - ifp->if_mtu));

       /* send packet */
       INCSTAT(cns_er_outhist[clnp_er_index(reason)]);
!       (void) (*ifp->if_output) (ifp, m, first_hop, route.ro_rt);
       goto done;

 bad:

You are viewing proxied material from ftp.icm.edu.pl. The copyright of proxied material belongs to its original authors. Any comments or complaints in relation to proxied material should be directed to the original authors of the content concerned. Please see the disclaimer for more details.