貌似發現一個FreeBSD內核的小bug

代碼中只判斷了IP頭是否在mbuf的空間內，而實際上ipv4和ipv6頭裡的IP_TOS有可能在mbuf之外。不過二層頭一般應該不會大到把ip頭擠到mbuf最後一個字節，從而使ip_tos在另一個mbuf內。
CODE:/*
* read and write diffserv field in IPv4 or IPv6 header
*/
u_int8_t
read_dsfield(m, pktattr)
struct mbuf *m;
struct altq_pktattr *pktattr;
{
struct mbuf *m0;
u_int8_t ds_field = 0;
if (pktattr == NULL ||
(pktattr->pattr_af != AF_INET && pktattr->pattr_af != AF_INET6))
return ((u_int8_t)0);
/* verify that pattr_hdr is within the mbuf data */
for (m0 = m; m0 != NULL; m0 = m0->m_next)
if ((pktattr->pattr_hdr >= m0->m_data) &&
(pktattr->pattr_hdr < m0->m_data + m0->m_len))
break;
if (m0 == NULL) {
/* ick, pattr_hdr is stale */
pktattr->pattr_af = AF_UNSPEC;
#ifdef ALTQ_DEBUG
printf("read_dsfield: can't locate header!\n");
#endif
return ((u_int8_t)0);
}
if (pktattr->pattr_af == AF_INET) {
struct ip *ip = (struct ip *)pktattr->pattr_hdr;
if (ip->ip_v != 4)
return ((u_int8_t)0); /* version mismatch! */
ds_field = ip->ip_tos;
}
#ifdef INET6
else if (pktattr->pattr_af == AF_INET6) {
struct ip6_hdr *ip6 = (struct ip6_hdr *)pktattr->pattr_hdr;
u_int32_t flowlabel;
flowlabel = ntohl(ip6->ip6_flow);
if ((flowlabel >> 28) != 6)
return ((u_int8_t)0); /* version mismatch! */
ds_field = (flowlabel >> 20) & 0xff;
}
#endif
return (ds_field);
}
void
write_dsfield(m, pktattr, dsfield)
struct mbuf *m;
struct altq_pktattr *pktattr;
u_int8_t dsfield;
{
struct mbuf *m0;
if (pktattr == NULL ||
(pktattr->pattr_af != AF_INET && pktattr->pattr_af != AF_INET6))
return;
/* verify that pattr_hdr is within the mbuf data */
for (m0 = m; m0 != NULL; m0 = m0->m_next)
if ((pktattr->pattr_hdr >= m0->m_data) &&
(pktattr->pattr_hdr < m0->m_data + m0->m_len))
break;
if (m0 == NULL) {
/* ick, pattr_hdr is stale */
pktattr->pattr_af = AF_UNSPEC;
#ifdef ALTQ_DEBUG
printf("write_dsfield: can't locate header!\n");
#endif
return;
}
if (pktattr->pattr_af == AF_INET) {
struct ip *ip = (struct ip *)pktattr->pattr_hdr;
u_int8_t old;
int32_t sum;
if (ip->ip_v != 4)
return; /* version mismatch! */
old = ip->ip_tos;
dsfield |= old & 3; /* leave CU bits */
if (old == dsfield)
return;
ip->ip_tos = dsfield;
/*
* update checksum (from RFC1624)
* HC' = ~(~HC + ~m + m')
*/
sum = ~ntohs(ip->ip_sum) & 0xffff;
sum += 0xff00 + (~old & 0xff) + dsfield;
sum = (sum >> 16) + (sum & 0xffff);
sum += (sum >> 16); /* add carry */
ip->ip_sum = htons(~sum & 0xffff);
}
#ifdef INET6
else if (pktattr->pattr_af == AF_INET6) {
struct ip6_hdr *ip6 = (struct ip6_hdr *)pktattr->pattr_hdr;
u_int32_t flowlabel;
flowlabel = ntohl(ip6->ip6_flow);
if ((flowlabel >> 28) != 6)
return; /* version mismatch! */
flowlabel = (flowlabel & 0xf03fffff) | (dsfield << 20);
ip6->ip6_flow = htonl(flowlabel);
}
#endif
return;
}