Missing m_pullup() and mbuf corruption. This potentially caused

  panic: m_copym0: m == 0 and not COPYALL
    and/or
  panic: m_copydata: null muf

on bridges running pf with scrubbing enabled.

Bug report, test vector and confirmation by Jon Morby.
ok jason@, jasoni@

2 files changed, 8 insertions, 5 deletions

diff --git a/sys/net/if_bridge.c b/sys/net/if_bridge.c
index 7f4d8e79529..6c430b609be 100644
--- a/sys/net/if_bridge.c
+++ b/sys/net/if_bridge.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: if_bridge.c,v 1.102 2002/08/07 18:44:39 jason Exp $	*/
+/*	$OpenBSD: if_bridge.c,v 1.103 2002/10/10 17:27:40 dhartmei Exp $	*/
 
 /*
  * Copyright (c) 1999, 2000 Jason L. Wright (jason@thought.net)
@@ -2470,7 +2470,7 @@ bridge_fragment(sc, ifp, eh, m)
 	struct mbuf *m;
 {
 	struct llc llc;
-	struct mbuf *m0 = m;
+	struct mbuf *m0;
 	int s, len, error = 0;
 	int hassnap = 0;
 #ifdef INET
@@ -2507,6 +2507,9 @@ bridge_fragment(sc, ifp, eh, m)
 	if (hassnap)
 		m_adj(m, LLC_SNAPFRAMELEN);
 
+	if (m->m_len < sizeof(struct ip) &&
+	    (m = m_pullup(m, sizeof(struct ip))) == NULL)
+		goto dropit;
 	ip = mtod(m, struct ip *);
 	NTOHS(ip->ip_len);
 	NTOHS(ip->ip_off);
@@ -2522,7 +2525,7 @@ bridge_fragment(sc, ifp, eh, m)
 	if (error == EMSGSIZE)
 		goto dropit;
 
-	for (m = m0; m; m = m0) {
+	for (; m; m = m0) {
 		m0 = m->m_nextpkt;
 		m->m_nextpkt = 0;
 		if (error == 0) {
diff --git a/sys/netinet/ip_output.c b/sys/netinet/ip_output.c
index c5809942299..c0c6309c283 100644
--- a/sys/netinet/ip_output.c
+++ b/sys/netinet/ip_output.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: ip_output.c,v 1.149 2002/06/24 23:57:28 itojun Exp $	*/
+/*	$OpenBSD: ip_output.c,v 1.150 2002/10/10 17:27:40 dhartmei Exp $	*/
 /*	$NetBSD: ip_output.c,v 1.28 1996/02/13 23:43:07 christos Exp $	*/
 
 /*
@@ -734,7 +734,7 @@ sendit:
 	if (error == EMSGSIZE)
 		goto bad;
 
-	for (m = m0; m; m = m0) {
+	for (; m; m = m0) {
 		m0 = m->m_nextpkt;
 		m->m_nextpkt = 0;
 		if (error == 0)