From owner-freebsd-current  Sat Sep  5 14:12:20 1998
Return-Path: <owner-freebsd-current@FreeBSD.ORG>
Received: (from majordom@localhost)
          by hub.freebsd.org (8.8.8/8.8.8) id OAA12277
          for freebsd-current-outgoing; Sat, 5 Sep 1998 14:12:20 -0700 (PDT)
          (envelope-from owner-freebsd-current@FreeBSD.ORG)
Received: from ducky.net (gate.ducky.net [198.145.101.253])
          by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id OAA12272
          for <current@freebsd.org>; Sat, 5 Sep 1998 14:12:17 -0700 (PDT)
          (envelope-from mike@ducky.net)
Received: from ducky.net (localhost.ducky.net [127.0.0.1])
	by ducky.net (8.9.1/8.8.5) with ESMTP id OAA00369;
	Sat, 5 Sep 1998 14:10:30 -0700 (PDT)
Message-Id: <199809052110.OAA00369@ducky.net>
To: current@FreeBSD.ORG
cc: dfr@nlsystems.com, wollman@khavrinen.lcs.mit.edu
Subject: DANGER: new IP fragment code breaks SLIP
Date: Sat, 05 Sep 1998 14:10:30 -0700
From: Mike Haertel <mike@ducky.net>
Sender: owner-freebsd-current@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.ORG

I've been experiencing crashes with recent 3.0 kernels using SLIP
based dialin networking.  Haven't had time yet to set up kernel
debugging, however I spent a half an hour doing binary search via
kernel builds on recent CVS commits.  The bug is either contained
in, or perhaps exposed by, the following commit:

>dfr         1998/08/24 00:47:39 PDT
>
>  Modified files:
>    sys/sys              mbuf.h 
>    sys/netinet          ip_input.c ip_var.h tcp_input.c 
>                         tcp_subr.c tcp_var.h udp_usrreq.c 
>  Log:
>  Re-implement tcp and ip fragment reassembly to not store pointers in the
>  ip header which can't work on alpha since pointers are too big.
>  
>  Reviewed by: Garrett Wollman <wollman@khavrinen.lcs.mit.edu>
>  
>  Revision  Changes    Path
>  1.29      +5 -1      src/sys/sys/mbuf.h
>  1.100     +80 -90    src/sys/netinet/ip_input.c
>  1.45      +3 -32     src/sys/netinet/ip_var.h
>  1.80      +49 -38    src/sys/netinet/tcp_input.c
>  1.46      +12 -15    src/sys/netinet/tcp_subr.c
>  1.48      +2 -13     src/sys/netinet/tcp_var.h
>  1.48      +3 -6      src/sys/netinet/udp_usrreq.c

Here's how I can reliably reproduce the crash:

1.  reboot my system normally.  as part of my boot process,
my system automatically dials up and slattaches (on sl0) my
permanent network link.

2.  dial in to my employer's dialin (behind a firewall),
and slattach via sl1.  the slattach works ok.

3.  attempt an ssh login to a machine in my employer's network,
via the sl1 interface.  this reliably either hangs or crashes
the machine.

Some further comments:

3a.  usually after establishing the sl1 connection, I can
telnet a few times before crashing the machine.  however attempting
an ssh login to the remote site always crashes the machine
instantly.  i hypothesize that the cause is large packets
containing public key challenges sent by ssh.

3b.  i haven't tried to reproduce the bug using just one
SLIP connection.

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-current" in the body of the message