From owner-freebsd-bugs Thu Jul 1 19:44: 7 1999 Delivered-To: freebsd-bugs@freebsd.org Received: from public1.ptt.js.cn (unknown [202.102.13.144]) by hub.freebsd.org (Postfix) with ESMTP id A2D11156C9; Thu, 1 Jul 1999 19:42:40 -0700 (PDT) (envelope-from witman@iname.com) Received: from heart (tnt3-66-92.nj.js.cn [202.102.66.92]) by public1.ptt.js.cn (8.9.1/8.9.1) with SMTP id JAA20081; Fri, 2 Jul 1999 09:38:15 +0800 (CST) Message-ID: <008f01bec434$82154c90$010000c8@heart.witman.com> From: "Witman Peng" To: "venkat venkatsubra" Cc: , Subject: Re: IP reassemble fails if it contains more that 20 bytes options? Date: Fri, 2 Jul 1999 10:42:05 +0800 MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 4.72.3110.5 X-MimeOLE: Produced By Microsoft MimeOLE V4.72.3110.3 Sender: owner-freebsd-bugs@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org But if this packet is stored in a cluster, hlen is always less than m->len (which is greater that 207). So the following code will never be run. BR Witman Peng -----Original Message----- From: venkat venkatsubra To: Witman Peng Cc: freebsd-net@FreeBSD.ORG ; freebsd-bugs@FreeBSD.ORG Date: 1999?7?1? 22:00 Subject: Re: IP reassemble fails if it contains more that 20 bytes options? >Witman, > Isn't this taken care of early in ipintr ? >-------------------------- >if (hlen > m->m_len) { > if ((m = m_pullup(m, hlen)) == 0) { > ipstat.ips_badhlen++; > goto next; > } > ip = mtod(m, struct ip *); > } >--------------------------- > >Venkat > >Witman Peng wrote: > >> Hi, All >> >> I am developing an application based on 4.4BSD-Lite source code. When I port >> the code in file netinet/ip_input.c, I found a problem. But I have no chance >> to install FreeBSD and test it, so I am not sure whether it'a bug or not. >> The following are the code to reassemble the IP fragments from ip_input.c: >> >> >From routine ipintr: >> if (ip->ip_off &~ IP_DF) { >> if (m->m_flags & M_EXT) { /* XXX */ >> if ((m = m_pullup(m, sizeof (struct ip))) == 0) { >> ipstat.ips_toosmall++; >> goto next; >> } >> ip = mtod(m, struct ip *); >> } >> >> >From routine ip_reass: >> int hlen = ip->ip_hl << 2; >> int i, next; >> >> m->m_data += hlen; >> m->m_len -= hlen; >> >> Suppose a fragment with more that 208 bytes and 40 bytes IP option, it will >> be stored in the cluster but not mbuf. In routine ipintr, function pullup >> just pullup sizeof(struct ip) (maybe 40 bytes for tcp header) bytes into a >> new mbuf. However, the IP header is 60 (20 + 40) bytes, so the complete IP >> header cannot be stored in this mbuf. Then in routine ip_reass, after run >> the above code, m->m_data will pointer to an incorrect address. >> >> Dose it seems right? Any inputs would be apprecaited. >> >> BR, >> Witman Peng >> >> To Unsubscribe: send mail to majordomo@FreeBSD.org >> with "unsubscribe freebsd-net" in the body of the message > > > >To Unsubscribe: send mail to majordomo@FreeBSD.org >with "unsubscribe freebsd-net" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-bugs" in the body of the message