explorer
Wed Aug 14 01:53:20 EDT 1996
Update of /a/cvsroot/src/sys/kern
In directory pain.lcs.mit.edu:/a/tmp/cvs-serv27821

Modified Files:
	uipc_socket.c 
Log Message:
This fixes a nasty little bug where traceroute (and other raw-ip sending
programs which attach their own header) can crash the machine.  The problem
in this case was:
	a variable "space" was set to the total data to copy,
	len was used to remember how much to copy in this chunk (mbuf),
	in one case, len = min(MCLBYTES - max_hdr, resid) but
		size -= MCLBYTES;
	 instead of
		size -= len;

Note that userland programs can still crash the machine by providing
bogus data in the ip->ip_len field I suspect.  I haven't verified this,
but will soon be doing so and applying a fix of some sort.  Probably
clamping the ip->ip_len value to the true packet size will be ok.