Module Name: src Committed By: maxv Date: Wed Apr 11 05:38:47 UTC 2018
Modified Files: src/sys/netinet: if_arp.c Log Message: Add XXX. To generate a diff of this commit: cvs rdiff -u -r1.272 -r1.273 src/sys/netinet/if_arp.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
Modified files: Index: src/sys/netinet/if_arp.c diff -u src/sys/netinet/if_arp.c:1.272 src/sys/netinet/if_arp.c:1.273 --- src/sys/netinet/if_arp.c:1.272 Tue Apr 10 08:41:14 2018 +++ src/sys/netinet/if_arp.c Wed Apr 11 05:38:47 2018 @@ -1,4 +1,4 @@ -/* $NetBSD: if_arp.c,v 1.272 2018/04/10 08:41:14 maxv Exp $ */ +/* $NetBSD: if_arp.c,v 1.273 2018/04/11 05:38:47 maxv Exp $ */ /* * Copyright (c) 1998, 2000, 2008 The NetBSD Foundation, Inc. @@ -68,7 +68,7 @@ */ #include <sys/cdefs.h> -__KERNEL_RCSID(0, "$NetBSD: if_arp.c,v 1.272 2018/04/10 08:41:14 maxv Exp $"); +__KERNEL_RCSID(0, "$NetBSD: if_arp.c,v 1.273 2018/04/11 05:38:47 maxv Exp $"); #ifdef _KERNEL_OPT #include "opt_ddb.h" @@ -1358,6 +1358,15 @@ reply: } ia4_release(ia, &psref_ia); + /* + * XXX XXX: Here we're recycling the mbuf. But the mbuf could have + * other mbufs in its chain, and just overwriting m->m_pkthdr.len + * would be wrong in this case (the length becomes smaller than the + * real chain size). + * + * This can theoretically cause bugs in the lower layers (drivers, + * and L2encap), in some corner cases. + */ memcpy(ar_tpa(ah), ar_spa(ah), ah->ar_pln); memcpy(ar_spa(ah), &itaddr, ah->ar_pln); ah->ar_op = htons(ARPOP_REPLY);