After 11 years of pondering about it I think that brookdavis@freebsd.org

had it correct. Don't BPF_WORDALIGN() the value for the number of
bytes read() into the buffer. This could theoretically cause the
processing of 1 - 3 more bytes than were read.

1 files changed, 3 insertions, 3 deletions

diff --git a/usr.sbin/dhcpd/bpf.c b/usr.sbin/dhcpd/bpf.c
index d046681e957..863d5603eec 100644
--- a/usr.sbin/dhcpd/bpf.c
+++ b/usr.sbin/dhcpd/bpf.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: bpf.c,v 1.16 2017/02/13 23:04:05 krw Exp $	*/
+/*	$OpenBSD: bpf.c,v 1.17 2017/04/18 13:44:03 krw Exp $	*/
 
 /* BPF socket interface code, originally contributed by Archie Cobbs. */
 
@@ -278,13 +278,13 @@ receive_packet(struct interface_info *interface, unsigned char *buf,
 	 */
 	do {
 		/* If the buffer is empty, fill it. */
-		if (interface->rbuf_offset == interface->rbuf_len) {
+		if (interface->rbuf_offset >= interface->rbuf_len) {
 			length = read(interface->rfdesc, interface->rbuf,
 			    interface->rbuf_max);
 			if (length <= 0)
 				return (length);
 			interface->rbuf_offset = 0;
-			interface->rbuf_len = BPF_WORDALIGN(length);
+			interface->rbuf_len = length;
 		}
 
 		/*