From owner-freebsd-bugs  Mon Mar 30 13:30:04 1998
Return-Path: <owner-freebsd-bugs@FreeBSD.ORG>
Received: (from majordom@localhost)
          by hub.freebsd.org (8.8.8/8.8.8) id NAA26041
          for freebsd-bugs-outgoing; Mon, 30 Mar 1998 13:30:04 -0800 (PST)
          (envelope-from owner-freebsd-bugs@FreeBSD.ORG)
Received: (from gnats@localhost)
          by hub.freebsd.org (8.8.8/8.8.8) id NAA26034;
          Mon, 30 Mar 1998 13:30:03 -0800 (PST)
          (envelope-from gnats)
Received: from johngalt.ennovatenetworks.com (johngalt.ennovatenetworks.com [208.227.99.141])
          by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id NAA25772
          for <FreeBSD-gnats-submit@freebsd.org>; Mon, 30 Mar 1998 13:28:47 -0800 (PST)
          (envelope-from eric@johngalt.ennovatenetworks.com)
Received: (from eric@localhost)
	by johngalt.ennovatenetworks.com (8.8.7/8.8.7) id QAA00502;
	Mon, 30 Mar 1998 16:28:39 -0500 (EST)
	(envelope-from eric)
Message-Id: <199803302128.QAA00502@johngalt.ennovatenetworks.com>
Date: Mon, 30 Mar 1998 16:28:39 -0500 (EST)
From: eric@ennovatenetworks.com
Reply-To: eric@ennovatenetworks.com
To: FreeBSD-gnats-submit@FreeBSD.ORG
X-Send-Pr-Version: 3.2
Subject: misc/6177: IP reassembly fails when some options present
Sender: owner-freebsd-bugs@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org


>Number:         6177
>Category:       misc
>Synopsis:       IP reassembly fails when some options present
>Confidential:   no
>Severity:       non-critical
>Priority:       low
>Responsible:    freebsd-bugs
>State:          open
>Quarter:
>Keywords:
>Date-Required:
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Mon Mar 30 13:30:01 PST 1998
>Last-Modified:
>Originator:     Eric Sprinkle
>Organization:
Ennovate Networks, Inc
>Release:        FreeBSD 2.2.5-RELEASE i386
>Environment:

	Two machines on the same IP subnet.  Intel Etherexpress 100 NICs

>Description:

	An oversized ping with record-route option fails the checksum test
	in ip_input and gets discarded.

	The function ip_input in ip_input.c determines the IP header length
	for each packet or fragment and save the length in the variable 'hlen'.
	Later on ip_input decides its a fragment and reassembles it and calls
	icmp_input with the header length.  Unfortunately, hlen is the length
	of the last fragments IP header, which may be different than the 
	header length of the first fragment.  The 'record-route' option is 
	an example of an option that is only present in the first fragment of 
	a datagram.

>How-To-Repeat:

	ping -s 3000 -R remote-node

>Fix:

	In the code scrap below, from ip_input, the comment and 
	the one line after the comment (hlen = ...) fix the problem.

	
       if (((struct ipasfrag *)ip)->ipf_mff & 1 || ip->ip_off) {
            ipstat.ips_fragments++;
            ip = ip_reass((struct ipasfrag *)ip, fp, &ipq[sum]);
            if (ip == 0)
                 return;

	    /*
	     *  Get the reassembled packet's header length
	     */
            hlen = IP_VHL_HL(ip->ip_vhl) << 2;

            ipstat.ips_reassembled++;
            m = dtom(ip);

>Audit-Trail:
>Unformatted:

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-bugs" in the body of the message