貌似发现一个FreeBSD内核的小bug
作者 佚名技术
来源 操作系统
浏览
发布时间 2012-06-27
|
代码中只判断了IP头是否在mbuf的空间内,而实际上ipv4和ipv6头里的IP_TOS有可能在mbuf之外。不过二层头一般应该不会大到把ip头挤到mbuf最后一个字节,从而使ip_tos在另一个mbuf内。
CODE:/*
* read and write diffserv field in IPv4 or IPv6 header
*/
u_int8_t
read_dsfield(m, pktattr)
struct mbuf *m;
struct altq_pktattr *pktattr;
{
struct mbuf *m0;
u_int8_t ds_field = 0;
if (pktattr == NULL ||
(pktattr->pattr_af != AF_INET && pktattr->pattr_af != AF_INET6))
return ((u_int8_t)0);
/* verify that pattr_hdr is within the mbuf data */
for (m0 = m; m0 != NULL; m0 = m0->m_next)
if ((pktattr->pattr_hdr >= m0->m_data) &&
(pktattr->pattr_hdr < m0->m_data + m0->m_len))
break;
if (m0 == NULL) {
/* ick, pattr_hdr is stale */
pktattr->pattr_af = AF_UNSPEC;
#ifdef ALTQ_DEBUG
printf("read_dsfield: can''t locate header!\n");
#endif
return ((u_int8_t)0);
}
if (pktattr->pattr_af == AF_INET) {
struct ip *ip = (struct ip *)pktattr->pattr_hdr;
if (ip->ip_v != 4)
return ((u_int8_t)0); /* version mismatch! */
ds_field = ip->ip_tos;
}
#ifdef INET6
else if (pktattr->pattr_af == AF_INET6) {
struct ip6_hdr *ip6 = (struct ip6_hdr *)pktattr->pattr_hdr;
u_int32_t flowlabel;
flowlabel = ntohl(ip6->ip6_flow);
if ((flowlabel >> 28) != 6)
return ((u_int8_t)0); /* version mismatch! */
ds_field = (flowlabel >> 20) & 0xff;
}
#endif
return (ds_field);
}
void
write_dsfield(m, pktattr, dsfield)
struct mbuf *m;
struct altq_pktattr *pktattr;
u_int8_t dsfield;
{
struct mbuf *m0;
if (pktattr == NULL ||
(pktattr->pattr_af != AF_INET && pktattr->pattr_af != AF_INET6))
return;
/* verify that pattr_hdr is within the mbuf data */
for (m0 = m; m0 != NULL; m0 = m0->m_next)
if ((pktattr->pattr_hdr >= m0->m_data) &&
(pktattr->pattr_hdr < m0->m_data + m0->m_len))
break;
if (m0 == NULL) {
/* ick, pattr_hdr is stale */
pktattr->pattr_af = AF_UNSPEC;
#ifdef ALTQ_DEBUG
printf("write_dsfield: can''t locate header!\n");
#endif
return;
}
if (pktattr->pattr_af == AF_INET) {
struct ip *ip = (struct ip *)pktattr->pattr_hdr;
u_int8_t old;
int32_t sum;
if (ip->ip_v != 4)
return; /* version mismatch! */
old = ip->ip_tos;
dsfield |= old & 3; /* leave CU bits */
if (old == dsfield)
return;
ip->ip_tos = dsfield;
/*
* update checksum (from RFC1624)
* HC'' = ~(~HC + ~m + m'')
*/
sum = ~ntohs(ip->ip_sum) & 0xffff;
sum += 0xff00 + (~old & 0xff) + dsfield;
sum = (sum >> 16) + (sum & 0xffff);
sum += (sum >> 16); /* add carry */
ip->ip_sum = htons(~sum & 0xffff);
}
#ifdef INET6
else if (pktattr->pattr_af == AF_INET6) {
struct ip6_hdr *ip6 = (struct ip6_hdr *)pktattr->pattr_hdr;
u_int32_t flowlabel;
flowlabel = ntohl(ip6->ip6_flow);
if ((flowlabel >> 28) != 6)
return; /* version mismatch! */
flowlabel = (flowlabel & 0xf03fffff) | (dsfield << 20);
ip6->ip6_flow = htonl(flowlabel);
}
#endif
return;
} |
凌众科技专业提供服务器租用、服务器托管、企业邮局、虚拟主机等服务,公司网站:http://www.lingzhong.cn
为了给广大客户了解更多的技术信息,本技术文章收集来源于网络,凌众科技尊重文章作者的版权,如果有涉及你的版权有必要删除你的文章,请和我们联系。以上信息与文章正文是不可分割的一部分,如果您要转载本文章,请保留以上信息,谢谢!
|
|
|