From owner-freebsd-net Wed Nov 21 8:39:26 2001 Delivered-To: freebsd-net@freebsd.org Received: from prism.flugsvamp.com (cb58709-a.mdsn1.wi.home.com [24.17.241.9]) by hub.freebsd.org (Postfix) with ESMTP id BC01C37B418 for ; Wed, 21 Nov 2001 08:39:23 -0800 (PST) Received: (from jlemon@localhost) by prism.flugsvamp.com (8.11.0/8.11.0) id fALGbQX69784; Wed, 21 Nov 2001 10:37:26 -0600 (CST) (envelope-from jlemon) Date: Wed, 21 Nov 2001 10:37:26 -0600 (CST) From: Jonathan Lemon Message-Id: <200111211637.fALGbQX69784@prism.flugsvamp.com> To: rizzo@aciri.org, net@freebsd.org Subject: Re: Garbage tacked onto end of packet X-Newsgroups: local.mail.freebsd-net In-Reply-To: References: Organization: Cc: Sender: owner-freebsd-net@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org In article you write: >[Bcc to Przemyslaw Frasunek who submitted the example in case >he can tell what hardware was involved] > >On Wed, Nov 21, 2001 at 02:36:56PM +0100, Dag-Erling Smorgrav wrote: >> http://lcamtuf.coredump.cx/mobp/ >> >> See Exhibit 5. Is this a known bug? > >Looks more like one or more bugs in a specific device driver, tcpdump or bpf. > >Here we have a short IP packet (44 bytes) which is later shown as having >46 and then 64 bytes. > >On the wire, ethernet frames are supposed to have at least 64 bytes (including >CRC ?) which is exactly 14+46+4 -- so the second example makes perfect sense, >it is the only legal format of such a frame coming from an ethernet interface. > >As for the third one, it might well be that some device driver misinterprets >the padding (possibly on the output side) and tries to generate 64-bytes >in addition to the headers. Yup. My guess is the first (short) packet was captured on the originating host, so bpf saw it before it hit the wire. The driver should have padded the packet out to 64 bytes on transmission, and the second hop sees the correct (64 - 14 - 4 = 46 byte) payload. I'm not sure what the third system is doing; it looks like it is returning the total packet length, unadjusted for the ethernet headers, which would be a driver bug. However, this is harmless in this case, since the system is using the length from the IP header, not the mbuf length. It isn't clear if the third system is even a FreeBSD box. -- Jonathan To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message