dae3cea673
Under the scenario with a packet with length of 67 bytes, a header length using the default of 20 bytes and a TCP data offset (th_off) of 48 will cause m_pullup() to fail to make sure bytes are arranged contiguously. m_pullup() will free the mbuf chain and return a null. ipfilter stores the resultant mbuf address (or the resulting NULL) in its fr_info_t structure. Unfortunately the erroneous packet is not flagged for drop. From FreeBSD via CY Schubert; originally reported by: Robert Morris <rtm at lcs.mit.edu> |
||
|---|---|---|
| .. | ||
| bsd | ||
| gpl2/dts | ||
| isc | ||
| mit/xen-include-public/dist/xen/include/public | ||