After 11 years of pondering about it I think that brookdavis@freebsd.org

had it correct. Don't BPF_WORDALIGN() the value for the number of bytes read() into the buffer. This could theoretically cause the processing of 1 - 3 more bytes than were read.
author: krw <krw@openbsd.org> 2017-04-18 13:44:03 +0000
committer: krw <krw@openbsd.org> 2017-04-18 13:44:03 +0000
commit: bb4d9bd72b5c66bd3be98a81dc071f49dd411523 (patch)
tree: 786d74b474d08b40920ff26919734826f3f147eb /sbin/dhclient/bpf.c
parent: ensure the buffer cache backs off all the way with the correct type (diff)
download: wireguard-openbsd-bb4d9bd72b5c66bd3be98a81dc071f49dd411523.tar.xz
wireguard-openbsd-bb4d9bd72b5c66bd3be98a81dc071f49dd411523.zip
1 files changed, 3 insertions, 3 deletions
diff --git a/sbin/dhclient/bpf.c b/sbin/dhclient/bpf.c
index bd0463dfab1..03a56e8a444 100644
--- a/sbin/dhclient/bpf.c
+++ b/sbin/dhclient/bpf.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: bpf.c,v 1.47 2017/02/12 15:53:15 krw Exp $	*/
+/*	$OpenBSD: bpf.c,v 1.48 2017/04/18 13:44:03 krw Exp $	*/
 
 /* BPF socket interface code, originally contributed by Archie Cobbs. */
 
@@ -350,12 +350,12 @@ receive_packet(struct interface_info *ifi, struct sockaddr_in *from,
 	 */
 	do {
 		/* If the buffer is empty, fill it. */
-		if (ifi->rbuf_offset == ifi->rbuf_len) {
+		if (ifi->rbuf_offset >= ifi->rbuf_len) {
 			length = read(ifi->bfdesc, ifi->rbuf, ifi->rbuf_max);
 			if (length <= 0)
 				return (length);
 			ifi->rbuf_offset = 0;
-			ifi->rbuf_len = BPF_WORDALIGN(length);
+			ifi->rbuf_len = length;
 		}
 
 		/*
author	krw <krw@openbsd.org>	2017-04-18 13:44:03 +0000
committer	krw <krw@openbsd.org>	2017-04-18 13:44:03 +0000
commit	bb4d9bd72b5c66bd3be98a81dc071f49dd411523 (patch)
tree	786d74b474d08b40920ff26919734826f3f147eb /sbin/dhclient/bpf.c
parent	ensure the buffer cache backs off all the way with the correct type (diff)
download	wireguard-openbsd-bb4d9bd72b5c66bd3be98a81dc071f49dd411523.tar.xz wireguard-openbsd-bb4d9bd72b5c66bd3be98a81dc071f49dd411523.zip