From owner-freebsd-net@FreeBSD.ORG Mon Jan 31 20:43:51 2011 Return-Path: Delivered-To: net@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id C966410656F1 for ; Mon, 31 Jan 2011 20:43:51 +0000 (UTC) (envelope-from jhb@freebsd.org) Received: from cyrus.watson.org (cyrus.watson.org [65.122.17.42]) by mx1.freebsd.org (Postfix) with ESMTP id 4EB008FC0C for ; Mon, 31 Jan 2011 20:43:51 +0000 (UTC) Received: from bigwig.baldwin.cx (66.111.2.69.static.nyinternet.net [66.111.2.69]) by cyrus.watson.org (Postfix) with ESMTPSA id 0EF0646B39 for ; Mon, 31 Jan 2011 15:43:51 -0500 (EST) Received: from jhbbsd.localnet (unknown [209.249.190.10]) by bigwig.baldwin.cx (Postfix) with ESMTPSA id F2B2C8A02A for ; Mon, 31 Jan 2011 15:43:49 -0500 (EST) From: John Baldwin To: net@freebsd.org Date: Mon, 31 Jan 2011 12:17:07 -0500 User-Agent: KMail/1.13.5 (FreeBSD/7.4-CBSD-20110107; KDE/4.4.5; amd64; ; ) MIME-Version: 1.0 Content-Type: Text/Plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Message-Id: <201101311217.07073.jhb@freebsd.org> X-Greylist: Sender succeeded SMTP AUTH, not delayed by milter-greylist-4.2.6 (bigwig.baldwin.cx); Mon, 31 Jan 2011 15:43:50 -0500 (EST) X-Virus-Scanned: clamav-milter 0.96.3 at bigwig.baldwin.cx X-Virus-Status: Clean X-Spam-Flag: YES X-Spam-Status: Yes, score=8.4 required=4.2 tests=BAYES_00, DATE_IN_PAST_03_06, MAY_BE_FORGED, RDNS_DYNAMIC, TO_NO_BRKTS_DIRECT, TO_NO_BRKTS_DYNIP autolearn=no version=3.3.1 X-Spam-Report: * 1.6 DATE_IN_PAST_03_06 Date: is 3 to 6 hours before Received: date * -1.9 BAYES_00 BODY: Bayes spam probability is 0 to 1% * [score: 0.0000] * 1.0 RDNS_DYNAMIC Delivered to internal network by host with * dynamic-looking rDNS * 1.4 MAY_BE_FORGED Relay IP's reverse DNS does not resolve to IP * 2.6 TO_NO_BRKTS_DIRECT To: misformatted and direct-to-MX * 3.7 TO_NO_BRKTS_DYNIP To: misformatted and dynamic rDNS X-Spam-Level: ******** X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on bigwig.baldwin.cx Cc: Subject: Bogus KASSERT() in tcp_output()? X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 31 Jan 2011 20:43:51 -0000 Somewhat related fallout to the bug reported on security@ recently, I think this KASSERT() in tcp_output() is bogus: KASSERT(len + hdrlen + ipoptlen == m_length(m, NULL), ("%s: mbuf chain shorter than expected", __func__)); Specifically, just a few lines earlier in tcp_output() we set the packet header length to just 'len + hdrlen': /* * Put TCP length in extended header, and then * checksum extended header and data. */ m->m_pkthdr.len = hdrlen + len; /* in6_cksum() need this */ Also, the ipoptions are stored in a separate mbuf chain in the in pcb (inp_options) that is passed as a separate argument to ip_output(). Given that, I would think that m_length() should not reflect ipoptlen since it should not include IP options in that chain? -- John Baldwin