From owner-freebsd-bugs@FreeBSD.ORG Thu Oct 16 01:10:02 2008 Return-Path: Delivered-To: freebsd-bugs@hub.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 1E21A1065688 for ; Thu, 16 Oct 2008 01:10:02 +0000 (UTC) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id F164E8FC22 for ; Thu, 16 Oct 2008 01:10:01 +0000 (UTC) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (gnats@localhost [127.0.0.1]) by freefall.freebsd.org (8.14.3/8.14.3) with ESMTP id m9G1A1Gc036818 for ; Thu, 16 Oct 2008 01:10:01 GMT (envelope-from gnats@freefall.freebsd.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.14.3/8.14.3/Submit) id m9G1A1EI036817; Thu, 16 Oct 2008 01:10:01 GMT (envelope-from gnats) Resent-Date: Thu, 16 Oct 2008 01:10:01 GMT Resent-Message-Id: <200810160110.m9G1A1EI036817@freefall.freebsd.org> Resent-From: FreeBSD-gnats-submit@FreeBSD.org (GNATS Filer) Resent-To: freebsd-bugs@FreeBSD.org Resent-Reply-To: FreeBSD-gnats-submit@FreeBSD.org, "Yehuda Sadeh Weinraub" Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 6228D1065698 for ; Thu, 16 Oct 2008 01:07:47 +0000 (UTC) (envelope-from edwin@mavetju.org) Received: from k7.mavetju.org (ppp121-44-151-188.lns10.syd7.internode.on.net [121.44.151.188]) by mx1.freebsd.org (Postfix) with ESMTP id 127E48FC15 for ; Thu, 16 Oct 2008 01:07:47 +0000 (UTC) (envelope-from edwin@mavetju.org) Received: by k7.mavetju.org (Postfix, from userid 1001) id 2B29945039; Thu, 16 Oct 2008 11:49:35 +1100 (EST) Message-Id: <20081016004935.2B29945039@k7.mavetju.org> Date: Thu, 16 Oct 2008 11:49:35 +1100 (EST) From: "Yehuda Sadeh Weinraub" To: FreeBSD-gnats-submit@FreeBSD.org X-Send-Pr-Version: 3.113 Cc: Subject: kern/128134: src/sys/netinet - crc32c calculation at sctp_crc32.c X-BeenThere: freebsd-bugs@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: Yehuda Sadeh Weinraub List-Id: Bug reports List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 16 Oct 2008 01:10:02 -0000 >Number: 128134 >Category: kern >Synopsis: src/sys/netinet - crc32c calculation at sctp_crc32.c >Confidential: no >Severity: serious >Priority: medium >Responsible: freebsd-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: sw-bug >Submitter-Id: current-users >Arrival-Date: Thu Oct 16 01:10:01 UTC 2008 >Closed-Date: >Last-Modified: >Originator: Yehuda Sadeh Weinraub >Release: FreeBSD 7.1-BETA i386 >Organization: - >Environment: >Description: It looks like there is some bug in the crc32c calculation at sctp_crc32.c. The update_crc32() does the following: ... offset = ((uintptr_t) buffer) & 0x3; return (sctp_crc32c_sb8_64_bit(crc32c, buffer, length, offset)); Now, note that it passes the 'offset' parameter. However, the sctp_crc32c_sb8_64_bit() treats the 4th parameter as init_bytes. This is wrong. Also it does the following: running_length = ((length - init_bytes) / 8) * 8; Now, if init_bytes is 3 and length is 1, running_length will overlap. The following patch seems to fix it. Yehuda >How-To-Repeat: >Fix: --- a/src/common/sctp_crc32.c +++ b/src/common/sctp_crc32.c @@ -518,12 +518,18 @@ static uint32_t sctp_crc32c_sb8_64_bit(uint32_t crc, unsigned char const *p_buf, uint32_t length, - uint32_t init_bytes) + uint32_t offset) { uint32_t li; uint32_t term1, term2; uint32_t running_length; uint32_t end_bytes; + uint32_t init_bytes; + + init_bytes = (4-offset) & 0x3; + + if (init_bytes > length) + init_bytes = length; running_length = ((length - init_bytes) / 8) * 8; end_bytes = length - init_bytes - running_length; >Release-Note: >Audit-Trail: >Unformatted: