From bb4d9bd72b5c66bd3be98a81dc071f49dd411523 Mon Sep 17 00:00:00 2001 From: krw Date: Tue, 18 Apr 2017 13:44:03 +0000 Subject: [PATCH] After 11 years of pondering about it I think that brookdavis@freebsd.org had it correct. Don't BPF_WORDALIGN() the value for the number of bytes read() into the buffer. This could theoretically cause the processing of 1 - 3 more bytes than were read. --- sbin/dhclient/bpf.c | 6 +++--- usr.sbin/dhcpd/bpf.c | 6 +++--- 2 files changed, 6 insertions(+), 6 deletions(-) diff --git a/sbin/dhclient/bpf.c b/sbin/dhclient/bpf.c index bd0463dfab1..03a56e8a444 100644 --- a/sbin/dhclient/bpf.c +++ b/sbin/dhclient/bpf.c @@ -1,4 +1,4 @@ -/* $OpenBSD: bpf.c,v 1.47 2017/02/12 15:53:15 krw Exp $ */ +/* $OpenBSD: bpf.c,v 1.48 2017/04/18 13:44:03 krw Exp $ */ /* BPF socket interface code, originally contributed by Archie Cobbs. */ @@ -350,12 +350,12 @@ receive_packet(struct interface_info *ifi, struct sockaddr_in *from, */ do { /* If the buffer is empty, fill it. */ - if (ifi->rbuf_offset == ifi->rbuf_len) { + if (ifi->rbuf_offset >= ifi->rbuf_len) { length = read(ifi->bfdesc, ifi->rbuf, ifi->rbuf_max); if (length <= 0) return (length); ifi->rbuf_offset = 0; - ifi->rbuf_len = BPF_WORDALIGN(length); + ifi->rbuf_len = length; } /* diff --git a/usr.sbin/dhcpd/bpf.c b/usr.sbin/dhcpd/bpf.c index d046681e957..863d5603eec 100644 --- a/usr.sbin/dhcpd/bpf.c +++ b/usr.sbin/dhcpd/bpf.c @@ -1,4 +1,4 @@ -/* $OpenBSD: bpf.c,v 1.16 2017/02/13 23:04:05 krw Exp $ */ +/* $OpenBSD: bpf.c,v 1.17 2017/04/18 13:44:03 krw Exp $ */ /* BPF socket interface code, originally contributed by Archie Cobbs. */ @@ -278,13 +278,13 @@ receive_packet(struct interface_info *interface, unsigned char *buf, */ do { /* If the buffer is empty, fill it. */ - if (interface->rbuf_offset == interface->rbuf_len) { + if (interface->rbuf_offset >= interface->rbuf_len) { length = read(interface->rfdesc, interface->rbuf, interface->rbuf_max); if (length <= 0) return (length); interface->rbuf_offset = 0; - interface->rbuf_len = BPF_WORDALIGN(length); + interface->rbuf_len = length; } /* -- 2.20.1