[prev in list] [next in list] [prev in thread] [next in thread] 

List:       openbsd-bugs
Subject:    Re: Bug in bridge source code.
From:       jason () thought ! net (Jason L !  Wright)
Date:       2002-09-24 19:43:25
[Download RAW message or body]

> Hi,
> 
> The function  void bstp_transmit_tcn(sc), in the file
> src/sys/net/bridgestp.c has a bug.
> 
> The function is supposed to create a topology change
> BPDU, but the packet generated is not in the right
> format. The problem is the variable "eh" (see attached
> code) is a pointer and has a size of 4bytes, the last
> line of attached code we have a bcopy which takes the
> size of eh which returns 4, which is the bug. To send
> the right packet we need the length of ether_header
> which is  14 bytes. I hope the problem can be
> resolved.
> 
There are actually two bugs like this in the same function.  This
is what I get from copying and pasting from the cpdu transmit
function.  Please try the patch below.

Index: bridgestp.c
===================================================================
RCS file: /cvs/src/sys/net/bridgestp.c,v
retrieving revision 1.8
diff -u -r1.8 bridgestp.c
--- bridgestp.c	14 Mar 2002 01:27:09 -0000	1.8
+++ bridgestp.c	24 Sep 2002 19:43:12 -0000
@@ -395,7 +395,7 @@
 	if (m == NULL)
 		return;
 	m->m_pkthdr.rcvif = ifp;
-	m->m_pkthdr.len = sizeof(eh) + sizeof(bpdu);
+	m->m_pkthdr.len = sizeof(*eh) + sizeof(bpdu);
 	m->m_len = m->m_pkthdr.len;
 
 	eh = mtod(m, struct ether_header *);
@@ -408,7 +408,7 @@
 	bpdu.tbu_protoid = 0;
 	bpdu.tbu_protover = 0;
 	bpdu.tbu_bpdutype = BSTP_MSGTYPE_TCN;
-	bcopy(&bpdu, m->m_data + sizeof(eh), sizeof(bpdu));
+	bcopy(&bpdu, m->m_data + sizeof(*eh), sizeof(bpdu));
 
 	s = splimp();
 	if ((ifp->if_flags & IFF_RUNNING) == 0)

[prev in list] [next in list] [prev in thread] [next in thread]