PERFORCE change 148622 for review
Sam Leffler
sam at FreeBSD.org
Wed Aug 27 15:38:05 UTC 2008
http://perforce.freebsd.org/chv.cgi?CH=148622
Change 148622 by sam at sam_ebb on 2008/08/27 15:37:44
Fix mic calculation when final data is entirely in a trailing mbuf;
it's unclear if this can happen on freebsd but does appear on netbsd.
Identified by Matthias Drochner who came up with an initial change
that we then revised together.
Reviewed by: thompsa, sephe, avatar
Affected files ...
.. //depot/projects/vap/sys/net80211/ieee80211_crypto_tkip.c#15 edit
Differences ...
==== //depot/projects/vap/sys/net80211/ieee80211_crypto_tkip.c#15 (text+ko) ====
@@ -910,7 +910,17 @@
data += sizeof(uint32_t), space -= sizeof(uint32_t);
data_len -= sizeof(uint32_t);
}
- if (data_len < sizeof(uint32_t))
+ /*
+ * NB: when space is zero we make one more trip around
+ * the loop to advance to the next mbuf where there is
+ * data. This handles the case where there are 4*n
+ * bytes in an mbuf followed by <4 bytes in a later mbuf.
+ * By making an extra trip we'll drop out of the loop
+ * with m pointing at the mbuf with 3 bytes and space
+ * set as required by the remainder handling below.
+ */
+ if (data_len == 0 ||
+ (data_len < sizeof(uint32_t) && space != 0))
break;
m = m->m_next;
if (m == NULL) {
@@ -957,6 +967,14 @@
space = m->m_len;
}
}
+ /*
+ * Catch degenerate cases like mbuf[4*n+1 bytes] followed by
+ * mbuf[2 bytes]. I don't believe these should happen; if they
+ * do then we'll need more involved logic.
+ */
+ KASSERT(data_len <= space,
+ ("not enough data, data_len %u space %u\n", data_len, space));
+
/* Last block and padding (0x5a, 4..7 x 0) */
switch (data_len) {
case 0:
More information about the p4-projects
mailing list