The following reply was made to PR kern/32928; it has been noted by GNATS.

From: Pavel Cahyna <pavel.cahyna@st.mff.cuni.cz>
To: Rui Paulo <rpaulo@fnop.net>
Cc: gnats-bugs@netbsd.org
Subject: Re: kern/32928: bpf filter can fail to extract a 32-bit quantity
Date: Sat, 25 Feb 2006 15:05:25 +0100

 On Sat, Feb 25, 2006 at 01:52:38PM +0000, Rui Paulo wrote:
 > >  BTW I'm planning to reorganize this code a bit... I just wanted to know if
 > >  this is an actual bug and if calling m_xhalf twice would be OK.
 > 
 > Alright. IIUC, m_xhalf will never be called twice with the same mbuf,
 > but I can be completely wrong and you'll probably correct me :-)
 
 I'm proposing this, so m_xhalf would actually be called twice with the
 same mbuf (of course, error handling is unfinished):
 
 Index: bpf_filter.c
 ===================================================================
 RCS file: /home/pavel/cvs/src/sys/net/bpf_filter.c,v
 retrieving revision 1.29
 diff -u -c -r1.29 bpf_filter.c
 cvs diff: conflicting specifications of output style
 --- bpf_filter.c	7 Feb 2006 20:10:48 -0000	1.29
 +++ bpf_filter.c	25 Feb 2006 14:01:27 -0000
 @@ -97,27 +97,10 @@
  	if (len >= k + 4) {
  		*err = 0;
  		return EXTRACT_LONG(cp);
 +	} else {
 +		return (m_xhalf(m, k, err) << 16) | m_xhalf(m, k+2, err);
  	}
 -	m0 = m->m_next;
 -	if (m0 == 0 || m0->m_len + len - k < 4)
 -		goto bad;
 -	*err = 0;
 -	np = mtod(m0, u_char *);
 -	switch (len - k) {
 -
 -	case 1:
 -		return (cp[0] << 24) | (np[0] << 16) | (np[1] << 8) |
 		np[2];
 -
 -	case 2:
 -		return (cp[0] << 24) | (cp[1] << 16) | (np[0] << 8) |
 		np[1];
  
 -	default:
 -		return (cp[0] << 24) | (cp[1] << 16) | (cp[2] << 8) |
 		np[0];
 -	}
 -    bad:
 -	*err = 1;
 -
 -	return 0;
  }
  
  static int