Skip site navigation (1)Skip section navigation (2)
Date:      Sat, 10 Jan 2004 20:59:51 -0500
From:      David Gilbert <dgilbert@dclg.ca>
To:        Andre Oppermann <andre@freebsd.org>
Cc:        David Gilbert <dgilbert@dclg.ca>
Subject:   Re: off-by-one error in ip_fragment, recently.
Message-ID:  <16384.44567.797902.985587@canoe.dclg.ca>
In-Reply-To: <40008783.330FAFF4@freebsd.org>
References:  <16384.14322.83258.940369@canoe.dclg.ca> <40008783.330FAFF4@freebsd.org>

next in thread | previous in thread | raw e-mail | index | archive | help
>>>>> "Andre" == Andre Oppermann <andre@freebsd.org> writes:

Andre> There are two possible ways this can happen: The function
Andre> m_copym was called with off == 0, or off == m->m_len.  Neither
Andre> is supposed to happen (obviously) so the bug must be in
Andre> ip_fragment.  Lets have a look at that next...

I got there pretty quickly, too.

Andre> Is this panic reproduceable?  What kind of traffic was going on
Andre> at that time?  Or was it right away when you started using the
Andre> GRE tunnel?

It happens during the boot.  I'm working on clearing off a drive so
that I can get a crash dump with symbols.

I have the following in rc.conf:

cloned_interfaces="gre0"
ifconfig_dc0="DHCP"
ifconfig_wi0="inet x.y.z.105/29 media autoselect mode 11b mediaopt hostap ssid DaveG.ca channel 11"
ifconfig_gre0="inet x.y.z.114 x.y.z.113 netmask 255.255.255.252 tunnel a.b.27.151 x.y.z.17"
ifconfig_sis0="inet x.y.z.81/28"
static_routes="tunnel default"
route_tunnel="x.y.z.17/32 a.b.24.1"
route_default="default x.y.z.113"

dhcp picks up a.b.27.151 from my cable provider relatively
dependably.  So wi0 and sis0 are internal networks and dc0 is the
external interface.  gre0 runs over dc0.

The crash happens after a few of the daemons start.  It's a UDP send
that's large enough to fragment.  It could be a large dns packet or
ntp.  Not sure exactly.

Andre> Could you please open a PR with this information too?  It helps
Andre> keeping track of the progress.

I'll be opening the PR tomorrow once I have a crash dump and a better
trace.

This configuration is working in a kernel from 5.1-CURRENT built in
october.

Dave.

-- 
============================================================================
|David Gilbert, Independent Contractor.       | Two things can only be     |
|Mail:       dave@daveg.ca                    |  equal if and only if they |
|http://daveg.ca                              |   are precisely opposite.  |
=========================================================GLO================



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?16384.44567.797902.985587>