Skip site navigation (1)Skip section navigation (2) 
Date:      Fri, 31 Jan 2025 21:25:58 -0500
From:      jaeyong yoo <y.jaeyong@gmail.com>
To:        freebsd-questions@freebsd.org
Subject:   Question about rack implementation for mbuf copy in fast-output
Message-ID:  <CANud0THSM3bpsnB0rbHeQ_MRXQFYQHebNCJ9bek46uBDHgZpww@mail.gmail.com>
next in thread | raw e-mail | index | archive | help 
--000000000000d2c1d6062d0b61bb
Content-Type: text/plain; charset="UTF-8"

Hi freebsd guru!

I am testing freeBSD's latest RACK implementation on fstack and having
somewhat strange problem.

I see the buffer overflow happens at line:
https://github.com/freebsd/freebsd-src/blob/main/sys/netinet/tcp_stacks/rack.c#L18262

where it copies the data of mbuf to another mbuf which is created from
m_get (not from mbuf cluster zone). And I'm seeing in my scenario, the
copying length is 1300 bytes which causes overflow as the size of mbuf
being 256 (as not from cluster). I'm trying to understand if in that line
18262 case, there is no possibility of copying length larger than this mbuf
size (256) so I screwed up somewhere prior?

Any help would be appreciated!

Thanks,
Jaeyong

--000000000000d2c1d6062d0b61bb
Content-Type: text/html; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable

<div dir=3D"ltr">Hi freebsd guru!<div><br></div><div>I am testing freeBSD&#=
39;s latest RACK implementation on fstack=C2=A0and having somewhat strange =
problem.</div><div><br></div><div>I see the buffer overflow happens at line=
:</div><div><a href=3D"https://github.com/freebsd/freebsd-src/blob/main/sys=
/netinet/tcp_stacks/rack.c#L18262">https://github.com/freebsd/freebsd-src/b=
lob/main/sys/netinet/tcp_stacks/rack.c#L18262</a><br></div><div><br></div><=
div>where it copies the data of mbuf to another mbuf which is created from =
m_get (not from mbuf cluster zone). And I&#39;m seeing in my=C2=A0scenario,=
 the copying length is 1300 bytes which causes overflow as the size of mbuf=
 being 256 (as not from cluster). I&#39;m trying to understand if in that l=
ine 18262 case, there is no possibility of copying length larger than this =
mbuf size (256) so I screwed up somewhere prior?</div><div><br></div><div>A=
ny help would be appreciated!</div><div><br></div><div>Thanks,</div><div>Ja=
eyong</div><div><br></div><div><br></div></div>

--000000000000d2c1d6062d0b61bb--

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CANud0THSM3bpsnB0rbHeQ_MRXQFYQHebNCJ9bek46uBDHgZpww>