DragonFlyBSD Kernel Audit
← dashboard
DF-0555

m_pullup is dead code: packetlen=m_len then m_len<packetlen always false, mbuf chains mis-parsed

Summary

nglmi_rcvdata(:575-587): packetlen=m->m_hdr.mh_len(first mbuf only). Tests if(m->m_len<packetlen)(:582) but packetlen WAS JUST ASSIGNED from m->m_len so m_len<m_len always false -> m_pullup never invoked. Comment :577 "XXX what if more than 1 mbuf?" Multi-mbuf LMI frame parsed using only first fragment. Legitimate status messages rejected/mis-parsed -> spurious DLCI-down flapping. Fix: packetlen=m_pkthdr.len, m_pullup(m,m_pkthdr.len).