dae3cea673
Under the scenario with a packet with length of 67 bytes, a header length using the default of 20 bytes and a TCP data offset (th_off) of 48 will cause m_pullup() to fail to make sure bytes are arranged contiguously. m_pullup() will free the mbuf chain and return a null. ipfilter stores the resultant mbuf address (or the resulting NULL) in its fr_info_t structure. Unfortunately the erroneous packet is not flagged for drop. From FreeBSD via CY Schubert; originally reported by: Robert Morris <rtm at lcs.mit.edu> |
||
---|---|---|
.. | ||
fil.c | ||
ip_auth.c | ||
ip_auth.h | ||
ip_compat.h | ||
ip_dns_pxy.c | ||
ip_dstlist.c | ||
ip_dstlist.h | ||
ip_fil.h | ||
ip_fil_compat.c | ||
ip_fil_netbsd.c | ||
ip_frag.c | ||
ip_frag.h | ||
ip_ftp_pxy.c | ||
ip_htable.c | ||
ip_htable.h | ||
ip_ipsec_pxy.c | ||
ip_irc_pxy.c | ||
ip_log.c | ||
ip_lookup.c | ||
ip_lookup.h | ||
ip_nat.c | ||
ip_nat.h | ||
ip_nat6.c | ||
ip_netbios_pxy.c | ||
ip_pool.c | ||
ip_pool.h | ||
ip_pptp_pxy.c | ||
ip_proxy.c | ||
ip_proxy.h | ||
ip_raudio_pxy.c | ||
ip_rcmd_pxy.c | ||
ip_rpcb_pxy.c | ||
ip_scan.c | ||
ip_scan.h | ||
ip_state.c | ||
ip_state.h | ||
ip_sync.c | ||
ip_sync.h | ||
ip_tftp_pxy.c | ||
ipf_rb.h | ||
ipl.h | ||
radix_ipf.c | ||
radix_ipf.h |