From owner-freebsd-net@FreeBSD.ORG  Tue Feb  1 02:58:32 2011
Return-Path: <owner-freebsd-net@FreeBSD.ORG>
Delivered-To: net@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 66485106566C
	for <net@freebsd.org>; Tue,  1 Feb 2011 02:58:32 +0000 (UTC)
	(envelope-from lstewart@freebsd.org)
Received: from lauren.room52.net (lauren.room52.net [210.50.193.198])
	by mx1.freebsd.org (Postfix) with ESMTP id 2860E8FC16
	for <net@freebsd.org>; Tue,  1 Feb 2011 02:58:31 +0000 (UTC)
Received: from lstewart.caia.swin.edu.au (lstewart.caia.swin.edu.au
	[136.186.229.95])
	by lauren.room52.net (Postfix) with ESMTPSA id E41A47E84A;
	Tue,  1 Feb 2011 13:40:12 +1100 (EST)
Message-ID: <4D477289.8040901@freebsd.org>
Date: Tue, 01 Feb 2011 13:40:09 +1100
From: Lawrence Stewart <lstewart@freebsd.org>
User-Agent: Mozilla/5.0 (X11; U; FreeBSD amd64; en-US;
	rv:1.9.2.13) Gecko/20101215 Lightning/1.0b2 Thunderbird/3.1.7
MIME-Version: 1.0
To: John Baldwin <jhb@freebsd.org>
References: <201101311217.07073.jhb@freebsd.org>
In-Reply-To: <201101311217.07073.jhb@freebsd.org>
X-Enigmail-Version: 1.1.2
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit
X-Spam-Status: No, score=0.0 required=5.0 tests=UNPARSEABLE_RELAY
	autolearn=unavailable version=3.3.1
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on lauren.room52.net
Cc: "Bjoern A. Zeeb" <bz@FreeBSD.org>, Andre Oppermann <andre@FreeBSD.ORG>,
	net@freebsd.org
Subject: Re: Bogus KASSERT() in tcp_output()?
X-BeenThere: freebsd-net@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Networking and TCP/IP with FreeBSD <freebsd-net.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-net>,
	<mailto:freebsd-net-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-net>
List-Post: <mailto:freebsd-net@freebsd.org>
List-Help: <mailto:freebsd-net-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-net>,
	<mailto:freebsd-net-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Tue, 01 Feb 2011 02:58:32 -0000

On 02/01/11 04:17, John Baldwin wrote:
> Somewhat related fallout to the bug reported on security@ recently, I think 
> this KASSERT() in tcp_output() is bogus:
> 
> 
> 	KASSERT(len + hdrlen + ipoptlen == m_length(m, NULL),
> 	    ("%s: mbuf chain shorter than expected", __func__));
> 
> Specifically, just a few lines earlier in tcp_output() we set the packet 
> header length to just 'len + hdrlen':
> 
> 	/*
> 	 * Put TCP length in extended header, and then
> 	 * checksum extended header and data.
> 	 */
> 	m->m_pkthdr.len = hdrlen + len; /* in6_cksum() need this */
> 
> Also, the ipoptions are stored in a separate mbuf chain in the in pcb 
> (inp_options) that is passed as a separate argument to ip_output().  Given 
> that, I would think that m_length() should not reflect ipoptlen since it 
> should not include IP options in that chain?
> 

There is some relevant prior discussion on src-committers@ for r212803
between Andre and Bjoern.

Cheers,
Lawrence