From owner-cvs-all  Thu Mar  8 13:43:35 2001
Delivered-To: cvs-all@freebsd.org
Received: from gndrsh.dnsmgr.net (GndRsh.dnsmgr.net [198.145.92.4])
	by hub.freebsd.org (Postfix) with ESMTP
	id 512A637B718; Thu,  8 Mar 2001 13:43:25 -0800 (PST)
	(envelope-from freebsd@gndrsh.dnsmgr.net)
Received: (from freebsd@localhost)
	by gndrsh.dnsmgr.net (8.9.3/8.9.3) id NAA26756;
	Thu, 8 Mar 2001 13:40:44 -0800 (PST)
	(envelope-from freebsd)
From: "Rodney W. Grimes" <freebsd@gndrsh.dnsmgr.net>
Message-Id: <200103082140.NAA26756@gndrsh.dnsmgr.net>
Subject: Re: cvs commit: src/sys/netinet ip_icmp.c ip_input.c
In-Reply-To: <24132.984086792@critter> from Poul-Henning Kamp at "Mar 8, 2001 10:26:32 pm"
To: phk@critter.freebsd.dk (Poul-Henning Kamp)
Date: Thu, 8 Mar 2001 13:40:44 -0800 (PST)
Cc: iedowse@FreeBSD.org (Ian Dowse), cvs-committers@FreeBSD.org,
	cvs-all@FreeBSD.org
X-Mailer: ELM [version 2.4ME+ PL54 (25)]
MIME-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit
Sender: owner-cvs-all@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.ORG

> 
> Yah!  Good work!

Yea, that was an odd one!

> Is this by any chance related to the DUMMYNET problem rgrimes 
> reported ?

I don't think so.  I've looked at what changed in 4.3 since the
end of february when dummynet worked fine, and it looks like one
merge from current was done.  This was the per interface stats
counter stuff, and it looks like it may be possible to deref
a null ia->ia_ifa in the DUMMYNET case, though this is from all
of a 3 minute look at the diff.  

Also this patch doesnt touch ip_output, which is where the panic
occurs.

> Poul-Henning
> 
> In message <200103081903.f28J3Rp36712@freefall.freebsd.org>, Ian Dowse writes:
> >iedowse     2001/03/08 11:03:26 PST
> >
> >  Modified files:
> >    sys/netinet          ip_icmp.c ip_input.c 
> >  Log:
> >  It was possible for ip_forward() to supply to icmp_error()
> >  an IP header with ip_len in network byte order. For certain
> >  values of ip_len, this could cause icmp_error() to write
> >  beyond the end of an mbuf, causing mbuf free-list corruption.
> >  This problem was observed during generation of ICMP redirects.
> >  
> >  We now make quite sure that the copy of the IP header kept
> >  for icmp_error() is stored in a non-shared mbuf header so
> >  that it will not be modified by ip_output().
> >  
> >  Also:
> >  
> >  Reported by:	Mike Tancsa <mike@sentex.net>
> 
> Many thanks to Mike for stalking this bug out !
> 
> --
> Poul-Henning Kamp       | UNIX since Zilog Zeus 3.20
> phk@FreeBSD.ORG         | TCP/IP since RFC 956
> FreeBSD committer       | BSD since 4.3-tahoe    
> Never attribute to malice what can adequately be explained by incompetence.
> 


-- 
Rod Grimes - KD7CAX @ CN85sl - (RWG25)               rgrimes@gndrsh.dnsmgr.net

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe cvs-all" in the body of the message