From: David Hill <dhill@mindcry.org>
Subject: tcp_respond - use memcpy
To: tech@openbsd.org
Date: Sat, 11 Jan 2025 21:03:20 +0000

ip6 and th both point to location on m, which is new memory from 
m_gethdr.  There should be no overlapping memory, so use memcpy.

Index: tcp_subr.c
===================================================================
RCS file: /cvs/src/sys/netinet/tcp_subr.c,v
diff -u -p -u -p -U15 -r1.204 tcp_subr.c
--- tcp_subr.c	3 Jan 2025 17:23:51 -0000	1.204
+++ tcp_subr.c	11 Jan 2025 20:58:28 -0000
@@ -322,48 +322,48 @@ tcp_respond(struct tcpcb *tp, caddr_t te

  	m = m_gethdr(M_DONTWAIT, MT_HEADER);
  	if (m == NULL)
  		return;
  	m->m_data += max_linkhdr;
  	tlen = 0;

  #define xchg(a,b,type) do { type t; t=a; a=b; b=t; } while (0)
  	switch (af) {
  #ifdef INET6
  	case AF_INET6:
  		ip6 = mtod(m, struct ip6_hdr *);
  		th = (struct tcphdr *)(ip6 + 1);
  		tlen = sizeof(*ip6) + sizeof(*th);
  		if (th0) {
-			bcopy(template, ip6, sizeof(*ip6));
-			bcopy(th0, th, sizeof(*th));
+			memcpy(ip6, template, sizeof(*ip6));
+			memcpy(th, th0, sizeof(*th));
  			xchg(ip6->ip6_dst, ip6->ip6_src, struct in6_addr);
  		} else {
-			bcopy(template, ip6, tlen);
+			memcpy(ip6, template, tlen);
  		}
  		break;
  #endif /* INET6 */
  	case AF_INET:
  		ip = mtod(m, struct ip *);
  		th = (struct tcphdr *)(ip + 1);
  		tlen = sizeof(*ip) + sizeof(*th);
  		if (th0) {
-			bcopy(template, ip, sizeof(*ip));
-			bcopy(th0, th, sizeof(*th));
+			memcpy(ip, template, sizeof(*ip));
+			memcpy(th, th0, sizeof(*th));
  			xchg(ip->ip_dst.s_addr, ip->ip_src.s_addr, u_int32_t);
  		} else {
-			bcopy(template, ip, tlen);
+			memcpy(ip, template, tlen);
  		}
  		break;
  	}
  	if (th0)
  		xchg(th->th_dport, th->th_sport, u_int16_t);
  	else
  		flags = TH_ACK;
  #undef xchg

  	th->th_seq = htonl(seq);
  	th->th_ack = htonl(ack);
  	th->th_x2 = 0;
  	th->th_off = sizeof (struct tcphdr) >> 2;
  	th->th_flags = flags;
  	if (tp)