From 6f4745d5757e385b06448930a2570371eb2f9a1e Mon Sep 17 00:00:00 2001 From: "Bjoern A. Zeeb" Date: Sun, 7 Sep 2008 13:09:04 +0000 Subject: [PATCH] Catch a possible NULL pointer deref in case the offsets got mangled somehow. As a consequence we may now get an unexpected result(*). Catch that error cases with a well defined panic giving appropriate pointers to ease debugging. (*) While the concensus was that the case should never happen unless there was a bug, noone was definitively sure. Discussed with: kmacy (about 8 months back) Reviewed by: silby (as part of a larger patch in March) MFC after: 2 months --- sys/kern/uipc_sockbuf.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/sys/kern/uipc_sockbuf.c b/sys/kern/uipc_sockbuf.c index b730c695955e..41f5987b3687 100644 --- a/sys/kern/uipc_sockbuf.c +++ b/sys/kern/uipc_sockbuf.c @@ -937,11 +937,13 @@ sbsndptr(struct sockbuf *sb, u_int off, u_int len, u_int *moff) /* Advance by len to be as close as possible for the next transmit. */ for (off = off - sb->sb_sndptroff + len - 1; - off > 0 && off >= m->m_len; + off > 0 && m != NULL && off >= m->m_len; m = m->m_next) { sb->sb_sndptroff += m->m_len; off -= m->m_len; } + if (off > 0 && m == NULL) + panic("%s: sockbuf %p and mbuf %p clashing", __func__, sb, ret); sb->sb_sndptr = m; return (ret);