Date: Thu, 1 Jul 1999 11:42:50 +0800 From: "Witman Peng" <witman@iname.com> To: <freebsd-net@FreeBSD.ORG> Cc: <freebsd-bugs@FreeBSD.ORG> Subject: IP reassemble fails if it contains more that 20 bytes options? Message-ID: <000101bec374$30e06eb0$010000c8@heart.witman.com>
next in thread | raw e-mail | index | archive | help
Hi, All
I am developing an application based on 4.4BSD-Lite source code. When I port
the code in file netinet/ip_input.c, I found a problem. But I have no chance
to install FreeBSD and test it, so I am not sure whether it'a bug or not.
The following are the code to reassemble the IP fragments from ip_input.c:
From routine ipintr:
if (ip->ip_off &~ IP_DF) {
if (m->m_flags & M_EXT) { /* XXX */
if ((m = m_pullup(m, sizeof (struct ip))) == 0) {
ipstat.ips_toosmall++;
goto next;
}
ip = mtod(m, struct ip *);
}
From routine ip_reass:
int hlen = ip->ip_hl << 2;
int i, next;
m->m_data += hlen;
m->m_len -= hlen;
Suppose a fragment with more that 208 bytes and 40 bytes IP option, it will
be stored in the cluster but not mbuf. In routine ipintr, function pullup
just pullup sizeof(struct ip) (maybe 40 bytes for tcp header) bytes into a
new mbuf. However, the IP header is 60 (20 + 40) bytes, so the complete IP
header cannot be stored in this mbuf. Then in routine ip_reass, after run
the above code, m->m_data will pointer to an incorrect address.
Dose it seems right? Any inputs would be apprecaited.
BR,
Witman Peng
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-bugs" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?000101bec374$30e06eb0$010000c8>