Date: Mon, 29 Nov 1999 17:47:23 -0800 (PST) From: Archie Cobbs <archie@whistle.com> To: FreeBSD-gnats-submit@freebsd.org Subject: kern/15175: tcp_input() fails to update m->m_pkthdr.len Message-ID: <199911300147.RAA26187@bubba.whistle.com>
next in thread | raw e-mail | index | archive | help
>Number: 15175
>Category: kern
>Synopsis: tcp_input() fails to update m->m_pkthdr.len
>Confidential: no
>Severity: non-critical
>Priority: medium
>Responsible: freebsd-bugs
>State: open
>Quarter:
>Keywords:
>Date-Required:
>Class: sw-bug
>Submitter-Id: current-users
>Arrival-Date: Mon Nov 29 17:50:01 PST 1999
>Closed-Date:
>Last-Modified:
>Originator: Archie Cobbs
>Release: FreeBSD 3.3-STABLE and 4.0-CURRENT
>Organization:
Whistle Communications, Inc.
>Environment:
>Description:
See sys/netinet/tcp_input.c, line 376:
/*
* Drop TCP, IP headers and TCP options.
*/
m->m_data += sizeof(struct tcpiphdr)+off-sizeof(struct tcphdr);
m->m_len -= sizeof(struct tcpiphdr)+off-sizeof(struct tcphdr);
Notice that m->m_pkthdr.len is not updated, and therefore the mbuf
becomes inconsistent. Apparently this doesn't matter much in normal
use. However, netgraph(4) is strict about checking the consistency
of mbufs and the above omission causes a panic later on.
>How-To-Repeat:
Input TCP data
>Fix:
if ((m->m_flags & M_PKTHDR) != 0)
m->m_pkthdr.len -= sizeof(struct tcpiphdr)+off-sizeof(struct tcphdr);
[ Can we always assume ((m->m_flags & M_PKTHDR) != 0) here?? ]
>Release-Note:
>Audit-Trail:
>Unformatted:
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-bugs" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199911300147.RAA26187>