netbsd-bugs: port-i386/166: if_ep may drop packets due to cut&paste bug.

Subject: port-i386/166: if_ep may drop packets due to cut&paste bug.
To: None <gnats-admin>
From: None <sommerfeld@orchard.medford.ma.us>
List: netbsd-bugs
Date: 03/13/1994 10:20:03

>Number:         166
>Category:       port-i386
>Synopsis:       if_ep may drop packets due to cut&paste bug.
>Confidential:   no
>Severity:       serious
>Priority:       low
>Responsible:    gnats-admin (GNATS administrator)
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Sun Mar 13 10:20:02 1994
>Originator:     Bill Sommerfeld
>Organization:
	none
>Release:        
>Environment:
    	
System: NetBSD orchard.medford.ma.us 0.9a ORCHARD#3 i386


>Description:

I discovered the following subtle bug while cribbing code out of if_ep
for if_lt.  Its unlikely to be noticed since nobody uses trailers..

The following code sequence occurs in epread() where it puts the
"real" header back on a packet if trailers were use.

		top = sc->mb[sc->next_mb];
		sc->mb[sc->next_mb] = 0;
		if (top == 0) {
>>>			MGETHDR(m, M_DONTWAIT, MT_DATA);
			if (top == 0)
				goto out;
		} else {	/* Convert one of our saved mbuf's */
			sc->next_mb = (sc->next_mb + 1) % MAX_MBS;
			top->m_data = top->m_pktdat;
			top->m_flags = M_PKTHDR;
		}

	If you take the top==0 case, you allocate an mbuf into "m",
	and then drop the packet..

>How-To-Repeat:
>Fix:

I think the 
			MGETHDR(m, M_DONTWAIT, MT_DATA);
should be
			MGETHDR(top, M_DONTWAIT, MT_DATA);


>Audit-Trail:
>Unformatted:

------------------------------------------------------------------------------