dae3cea673
Under the scenario with a packet with length of 67 bytes, a header length using the default of 20 bytes and a TCP data offset (th_off) of 48 will cause m_pullup() to fail to make sure bytes are arranged contiguously. m_pullup() will free the mbuf chain and return a null. ipfilter stores the resultant mbuf address (or the resulting NULL) in its fr_info_t structure. Unfortunately the erroneous packet is not flagged for drop. From FreeBSD via CY Schubert; originally reported by: Robert Morris <rtm at lcs.mit.edu> |
||
|---|---|---|
| .. | ||
| fil.c | ||
| ip_auth.c | ||
| ip_auth.h | ||
| ip_compat.h | ||
| ip_dns_pxy.c | ||
| ip_dstlist.c | ||
| ip_dstlist.h | ||
| ip_fil.h | ||
| ip_fil_compat.c | ||
| ip_fil_netbsd.c | ||
| ip_frag.c | ||
| ip_frag.h | ||
| ip_ftp_pxy.c | ||
| ip_htable.c | ||
| ip_htable.h | ||
| ip_ipsec_pxy.c | ||
| ip_irc_pxy.c | ||
| ip_log.c | ||
| ip_lookup.c | ||
| ip_lookup.h | ||
| ip_nat.c | ||
| ip_nat.h | ||
| ip_nat6.c | ||
| ip_netbios_pxy.c | ||
| ip_pool.c | ||
| ip_pool.h | ||
| ip_pptp_pxy.c | ||
| ip_proxy.c | ||
| ip_proxy.h | ||
| ip_raudio_pxy.c | ||
| ip_rcmd_pxy.c | ||
| ip_rpcb_pxy.c | ||
| ip_scan.c | ||
| ip_scan.h | ||
| ip_state.c | ||
| ip_state.h | ||
| ip_sync.c | ||
| ip_sync.h | ||
| ip_tftp_pxy.c | ||
| ipf_rb.h | ||
| ipl.h | ||
| radix_ipf.c | ||
| radix_ipf.h | ||