From f13da24715a75ce0fdac31062866877d980aa908 Mon Sep 17 00:00:00 2001
From: Florian Florensa <florian@florensa.me>
Date: Fri, 16 Feb 2018 10:53:22 +0100
Subject: [PATCH] net/bpf: Fix writing of buffer bigger than PAGESIZE

When allocating the mbuf we used m_get2 which fails
if len is superior to MJUMPAGESIZE, if its the case,
use m_getjcl instead.

Reviewed by:	kp@
PR:		205164
Pull Request:	https://github.com/freebsd/freebsd-src/pull/131
---
 sys/net/bpf.c | 10 +++++++++-
 1 file changed, 9 insertions(+), 1 deletion(-)

diff --git a/sys/net/bpf.c b/sys/net/bpf.c
index 605e7aa39fd..ec05dd6d337 100644
--- a/sys/net/bpf.c
+++ b/sys/net/bpf.c
@@ -641,7 +641,15 @@ bpf_movein(struct uio *uio, int linktype, struct ifnet *ifp, struct mbuf **mp,
 	if (len < hlen || len - hlen > ifp->if_mtu)
 		return (EMSGSIZE);
 
-	m = m_get2(len, M_WAITOK, MT_DATA, M_PKTHDR);
+	/* Allocate a mbuf for our write, since m_get2 fails if len >= to MJUMPAGESIZE, use m_getjcl for bigger buffers */
+	if (len < MJUMPAGESIZE)
+		m = m_get2(len, M_WAITOK, MT_DATA, M_PKTHDR);
+	else if (len <= MJUM9BYTES)
+		m = m_getjcl(M_WAITOK, MT_DATA, M_PKTHDR, MJUM9BYTES);
+	else if (len <= MJUM16BYTES)
+		m = m_getjcl(M_WAITOK, MT_DATA, M_PKTHDR, MJUM16BYTES);
+	else
+		m = NULL;
 	if (m == NULL)
 		return (EIO);
 	m->m_pkthdr.len = m->m_len = len;