Re: kern/43541: Unaligned access in pf_normalize_tcpopt()

[David Holland <dholland-bugs%netbsd.org@localhost>]

The following reply was made to PR kern/43541; it has been noted by GNATS.

From: David Holland <dholland-bugs%netbsd.org@localhost>
To: gnats-bugs%NetBSD.org@localhost
Cc: 
Subject: Re: kern/43541: Unaligned access in pf_normalize_tcpopt()
Date: Sun, 31 Jul 2016 23:08:15 +0000

 On Mon, Jun 28, 2010 at 04:35:00PM +0000, gandersen%cradlepoint.com@localhost wrote:
  > Index: sys/dist/pf/net/pf_norm.c
  > ===================================================================
  > --- sys/dist/pf/net/pf_norm.c
  > +++ sys/dist/pf/net/pf_norm.c	(working copy)
  > @@ -1878,7 +1878,7 @@
  >  pf_normalize_tcpopt(struct pf_rule *r, struct mbuf *m, struct tcphdr *th,
  >      int off)
  >  {
  > -	u_int16_t	*mss;
  > +	u_int16_t	 mss;
  >  	int		 thoff;
  >  	int		 opt, cnt, optlen = 0;
  >  	int		 rewrite = 0;
  > @@ -1903,11 +1903,12 @@
  >  		}
  >  		switch (opt) {
  >  		case TCPOPT_MAXSEG:
  > -			mss = (u_int16_t *)(optp + 2);
  > -			if ((ntohs(*mss)) > r->max_mss) {
  > +			mss = (optp[2] << 8) | optp[3];
  > +			if (mss > r->max_mss) {
  >  				th->th_sum = pf_cksum_fixup(th->th_sum,
  > -				    *mss, htons(r->max_mss), 0);
  > -				*mss = htons(r->max_mss);
  > +				    htons(mss), htons(r->max_mss), 0);
  > +				optp[2] = (u_char)(r->max_mss >> 8) & 0xff;
  > +				optp[3] = (u_char)(r->max_mss) & 0xff;
  >  				rewrite = 1;
  >  			}
  >  			break;
  > 
 
 Is there any reason this patch hasn't been committed?
 
 -- 
 David A. Holland
 dholland%netbsd.org@localhost