Date: Fri, 02 Jul 1999 10:08:26 -0500 From: venkat venkatsubra <venkats@austin.ibm.com> To: Witman Peng <witman@iname.com> Cc: freebsd-net@FreeBSD.ORG, freebsd-bugs@FreeBSD.ORG Subject: Re: IP reassemble fails if it contains more that 20 bytes options? Message-ID: <377CD5EA.9F1E14BF@austin.ibm.com> References: <008f01bec434$82154c90$010000c8@heart.witman.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Witman,
Looks like a problem. I don't know if it is fixed in
later versions.
Venkat
Witman Peng wrote:
> But if this packet is stored in a cluster, hlen is always less than m->len
> (which is greater that 207). So the following code will never be run.
>
> BR
> Witman Peng
> -----Original Message-----
> From: venkat venkatsubra <venkats@austin.ibm.com>
> To: Witman Peng <witman@iname.com>
> Cc: freebsd-net@FreeBSD.ORG <freebsd-net@FreeBSD.ORG>;
> freebsd-bugs@FreeBSD.ORG <freebsd-bugs@FreeBSD.ORG>
> Date: 1999?7?1? 22:00
> Subject: Re: IP reassemble fails if it contains more that 20 bytes options?
>
> >Witman,
> > Isn't this taken care of early in ipintr ?
> >--------------------------
> >if (hlen > m->m_len) {
> > if ((m = m_pullup(m, hlen)) == 0) {
> > ipstat.ips_badhlen++;
> > goto next;
> > }
> > ip = mtod(m, struct ip *);
> > }
> >---------------------------
> >
> >Venkat
> >
> >Witman Peng wrote:
> >
> >> Hi, All
> >>
> >> I am developing an application based on 4.4BSD-Lite source code. When I
> port
> >> the code in file netinet/ip_input.c, I found a problem. But I have no
> chance
> >> to install FreeBSD and test it, so I am not sure whether it'a bug or not.
> >> The following are the code to reassemble the IP fragments from
> ip_input.c:
> >>
> >> >From routine ipintr:
> >> if (ip->ip_off &~ IP_DF) {
> >> if (m->m_flags & M_EXT) { /* XXX */
> >> if ((m = m_pullup(m, sizeof (struct ip))) == 0) {
> >> ipstat.ips_toosmall++;
> >> goto next;
> >> }
> >> ip = mtod(m, struct ip *);
> >> }
> >>
> >> >From routine ip_reass:
> >> int hlen = ip->ip_hl << 2;
> >> int i, next;
> >>
> >> m->m_data += hlen;
> >> m->m_len -= hlen;
> >>
> >> Suppose a fragment with more that 208 bytes and 40 bytes IP option, it
> will
> >> be stored in the cluster but not mbuf. In routine ipintr, function pullup
> >> just pullup sizeof(struct ip) (maybe 40 bytes for tcp header) bytes into
> a
> >> new mbuf. However, the IP header is 60 (20 + 40) bytes, so the complete
> IP
> >> header cannot be stored in this mbuf. Then in routine ip_reass, after run
> >> the above code, m->m_data will pointer to an incorrect address.
> >>
> >> Dose it seems right? Any inputs would be apprecaited.
> >>
> >> BR,
> >> Witman Peng
> >>
> >> To Unsubscribe: send mail to majordomo@FreeBSD.org
> >> with "unsubscribe freebsd-net" in the body of the message
> >
> >
> >
> >To Unsubscribe: send mail to majordomo@FreeBSD.org
> >with "unsubscribe freebsd-net" in the body of the message
> >
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-bugs" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?377CD5EA.9F1E14BF>