Pavel Cahyna <pavel.cahyna@st.mff.cuni.cz> writes:

> The following reply was made to PR kern/32928; it has been noted by GNATS.
>
> From: Pavel Cahyna <pavel.cahyna@st.mff.cuni.cz>
> To: Rui Paulo <rpaulo@fnop.net>
> Cc: gnats-bugs@netbsd.org
> Subject: Re: kern/32928: bpf filter can fail to extract a 32-bit quantity
> Date: Sat, 25 Feb 2006 14:42:50 +0100
>
>  On Sat, Feb 25, 2006 at 12:51:33PM +0000, Rui Paulo wrote:
>  > --- bpf_filter.c.~1.29.~	2006-02-10 20:08:13.000000000 +0000
>  > +++ bpf_filter.c	2006-02-25 12:51:07.000000000 +0000
>  > @@ -98,9 +98,13 @@ m_xword(struct mbuf *m, uint32_t k, int 
>  >  		*err = 0;
>  >  		return EXTRACT_LONG(cp);
>  >  	}
>  > -	m0 = m->m_next;
>  > -	if (m0 == 0 || m0->m_len + len - k < 4)
>  > -		goto bad;
>  > +
>  > +	for (m0 = m->m_next; ; m0 = m0->next) {
>  > +		if (m0 == 0)
>  > +			goto bad;
>  > +		if (m0->m_len + len - k >= 4)
>  > +			break;
>  > +	}
>  
>  Sorry, I don't see how this is supposed to work. This would skip the short
>  mbuf(s) and read different data than it is supposed to.

Oh, right.

>  BTW I'm planning to reorganize this code a bit... I just wanted to know if
>  this is an actual bug and if calling m_xhalf twice would be OK.

Alright. IIUC, m_xhalf will never be called twice with the same mbuf,
but I can be completely wrong and you'll probably correct me :-)

-- 
  Rui Paulo			<rpaulo@{NetBSD{,-PT}.org,fnop.net}>