From owner-freebsd-bugs Wed Feb 23 22: 0: 6 2000 Delivered-To: freebsd-bugs@freebsd.org Received: from freefall.freebsd.org (freefall.FreeBSD.ORG [204.216.27.21]) by hub.freebsd.org (Postfix) with ESMTP id A34EE37BAEC for ; Wed, 23 Feb 2000 22:00:02 -0800 (PST) (envelope-from gnats@FreeBSD.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.9.3/8.9.2) id WAA66552; Wed, 23 Feb 2000 22:00:02 -0800 (PST) (envelope-from gnats@FreeBSD.org) Received: from squall.waterspout.com (squall.waterspout.com [208.13.60.154]) by hub.freebsd.org (Postfix) with ESMTP id 2EC1337BB02; Wed, 23 Feb 2000 21:50:17 -0800 (PST) (envelope-from csg@squall.waterspout.com) Received: (from csg@localhost) by squall.waterspout.com (8.9.3/8.9.3) id AAA31092; Thu, 24 Feb 2000 00:50:03 -0500 (EST) (envelope-from csg) Message-Id: <200002240550.AAA31092@squall.waterspout.com> Date: Thu, 24 Feb 2000 00:50:03 -0500 (EST) From: csg@waterspout.com Reply-To: csg@waterspout.com To: FreeBSD-gnats-submit@freebsd.org, csg@waterspout.com Cc: rwatson@freebsd.org, mdodd@freebsd.org, jkh@freebsd.org X-Send-Pr-Version: 3.2 Subject: kern/16950: arpintr() incorrectly checks mbuf chain size Sender: owner-freebsd-bugs@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org >Number: 16950 >Category: kern >Synopsis: arpintr() incorrectly checks mbuf chain size >Confidential: no >Severity: serious >Priority: high >Responsible: freebsd-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: sw-bug >Submitter-Id: current-users >Arrival-Date: Wed Feb 23 22:00:01 PST 2000 >Closed-Date: >Last-Modified: >Originator: C. Stephen Gunn >Release: FreeBSD 3.4-STABLE i386 >Organization: WaterSpout Communications, Inc. >Environment: FreeBSD-3.4-STABLE or FreeBSD-4.0 current. >Description: The NETISR_ARP handler arpintr() incorrectly checks m->m_len to determine if we have a complete ARP packet. It is possible to have a packet spread across several mbufs in the chain. While this case apparently doesn't happen with normal ethernet interfaces, additional mbuf operations before ARP processing (for 802.1Q Tagged VLANS, Bridged Ethernet over Frame Relay, or perhaps LANE) can cause NETISR_ARP to be presented with a fragmented packet. >How-To-Repeat: Run my yet-to-see-the-light-of-day VLAN improvements, it blows chunks on ever inbound ARP packet. >Fix: I've not only fixed the length comparisson, I've added several diagnostic error messages to the handler for other out-of-the-norm ARP packets. This makes the error conditions easier to detect and fix, and makes the code much more readable. I've put patches for -STABLE and -CURRENT (which are actually identical) online: http://www.waterspout.com/FreeBSD/arpintr-patch.current http://www.waterspout.com/FreeBSD/arpintr-patch.stable If someone could perform a sanity check, and get these committed before 4.0-R heads out the door, that would be ideal. - Steve >Release-Note: >Audit-Trail: >Unformatted: To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-bugs" in the body of the message