From 40fa900618fa42cf3fdbbe27ac3e0f567862ae11 Mon Sep 17 00:00:00 2001
From: ae <ae@ccf9f872-aa2e-dd11-9fc8-001c23d0bc1f>
Date: Wed, 2 Mar 2016 13:38:21 +0000
Subject: [PATCH] MFC r295969:   Fix bug in filling and handling ipfw's O_DSCP
 opcode.   Due to integer overflow CS4 token was handled as BE.

  PR:		207459
Approved by:	re (gjb)


git-svn-id: svn://svn.freebsd.org/base/stable/10@296311 ccf9f872-aa2e-dd11-9fc8-001c23d0bc1f
---
 sbin/ipfw/ipfw2.c         | 2 +-
 sys/netpfil/ipfw/ip_fw2.c | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/sbin/ipfw/ipfw2.c b/sbin/ipfw/ipfw2.c
index ff8395dc7..f585dedec 100644
--- a/sbin/ipfw/ipfw2.c
+++ b/sbin/ipfw/ipfw2.c
@@ -779,7 +779,7 @@ fill_dscp(ipfw_insn *cmd, char *av, int cblen)
 				errx(EX_DATAERR, "Invalid DSCP value");
 		}
 
-		if (code > 32)
+		if (code >= 32)
 			*high |= 1 << (code - 32);
 		else
 			*low |= 1 << code;
diff --git a/sys/netpfil/ipfw/ip_fw2.c b/sys/netpfil/ipfw/ip_fw2.c
index 764696cf8..712c67532 100644
--- a/sys/netpfil/ipfw/ip_fw2.c
+++ b/sys/netpfil/ipfw/ip_fw2.c
@@ -1678,7 +1678,7 @@ do {								\
 					break;
 
 				/* DSCP bitmask is stored as low_u32 high_u32 */
-				if (x > 32)
+				if (x >= 32)
 					match = *(p + 1) & (1 << (x - 32));
 				else
 					match = *p & (1 << x);
-- 
2.45.0