From owner-freebsd-bugs  Mon Nov 29 17:51:37 1999
Delivered-To: freebsd-bugs@freebsd.org
Received: from freefall.freebsd.org (freefall.FreeBSD.ORG [204.216.27.21])
	by hub.freebsd.org (Postfix) with ESMTP id B7721156D6
	for <freebsd-bugs@FreeBSD.org>; Mon, 29 Nov 1999 17:50:01 -0800 (PST)
	(envelope-from gnats@FreeBSD.org)
Received: (from gnats@localhost)
	by freefall.freebsd.org (8.9.3/8.9.2) id RAA70841;
	Mon, 29 Nov 1999 17:50:01 -0800 (PST)
	(envelope-from gnats@FreeBSD.org)
Received: from bubba.whistle.com (bubba.whistle.com [207.76.205.7])
	by hub.freebsd.org (Postfix) with ESMTP id 42AB6152DB
	for <FreeBSD-gnats-submit@freebsd.org>; Mon, 29 Nov 1999 17:47:24 -0800 (PST)
	(envelope-from archie@whistle.com)
Received: (from archie@localhost)
	by bubba.whistle.com (8.9.2/8.9.2) id RAA26187;
	Mon, 29 Nov 1999 17:47:23 -0800 (PST)
Message-Id: <199911300147.RAA26187@bubba.whistle.com>
Date: Mon, 29 Nov 1999 17:47:23 -0800 (PST)
From: Archie Cobbs <archie@whistle.com>
Reply-To: archie@whistle.com
To: FreeBSD-gnats-submit@freebsd.org
X-Send-Pr-Version: 3.2
Subject: kern/15175: tcp_input() fails to update m->m_pkthdr.len
Sender: owner-freebsd-bugs@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org


>Number:         15175
>Category:       kern
>Synopsis:       tcp_input() fails to update m->m_pkthdr.len
>Confidential:   no
>Severity:       non-critical
>Priority:       medium
>Responsible:    freebsd-bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Mon Nov 29 17:50:01 PST 1999
>Closed-Date:
>Last-Modified:
>Originator:     Archie Cobbs
>Release:        FreeBSD 3.3-STABLE and 4.0-CURRENT
>Organization:
Whistle Communications, Inc.
>Environment:

>Description:

See sys/netinet/tcp_input.c, line 376:

        /*
         * Drop TCP, IP headers and TCP options.
         */
        m->m_data += sizeof(struct tcpiphdr)+off-sizeof(struct tcphdr);
        m->m_len  -= sizeof(struct tcpiphdr)+off-sizeof(struct tcphdr);

Notice that m->m_pkthdr.len is not updated, and therefore the mbuf
becomes inconsistent.  Apparently this doesn't matter much in normal
use.  However, netgraph(4) is strict about checking the consistency
of mbufs and the above omission causes a panic later on.

>How-To-Repeat:

	Input TCP data

>Fix:
	
   if ((m->m_flags & M_PKTHDR) != 0)
	m->m_pkthdr.len -= sizeof(struct tcpiphdr)+off-sizeof(struct tcphdr);

   [ Can we always assume ((m->m_flags & M_PKTHDR) != 0) here?? ]


>Release-Note:
>Audit-Trail:
>Unformatted:


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-bugs" in the body of the message