From owner-freebsd-bugs Mon May 6 21:50:12 2002 Delivered-To: freebsd-bugs@hub.freebsd.org Received: from freefall.freebsd.org (freefall.FreeBSD.org [216.136.204.21]) by hub.freebsd.org (Postfix) with ESMTP id BD06437B403 for ; Mon, 6 May 2002 21:50:01 -0700 (PDT) Received: (from gnats@localhost) by freefall.freebsd.org (8.11.6/8.11.6) id g474o1387674; Mon, 6 May 2002 21:50:01 -0700 (PDT) (envelope-from gnats) Received: from nwww.freebsd.org (nwww.FreeBSD.org [216.136.204.117]) by hub.freebsd.org (Postfix) with ESMTP id 91B5437B406 for ; Mon, 6 May 2002 21:41:20 -0700 (PDT) Received: from nwww.freebsd.org (localhost [127.0.0.1]) by nwww.freebsd.org (8.12.2/8.12.2) with ESMTP id g474glhG055288 for ; Mon, 6 May 2002 21:42:47 -0700 (PDT) (envelope-from nobody@nwww.freebsd.org) Received: (from nobody@localhost) by nwww.freebsd.org (8.12.2/8.12.2/Submit) id g474gliD055287; Mon, 6 May 2002 21:42:47 -0700 (PDT) Message-Id: <200205070442.g474gliD055287@nwww.freebsd.org> Date: Mon, 6 May 2002 21:42:47 -0700 (PDT) From: "Amit K. Rao" To: freebsd-gnats-submit@FreeBSD.org X-Send-Pr-Version: www-1.0 Subject: bin/37813: [PATCH]: Bug in Multilink PPP reassembly: mp_Assemble() Sender: owner-freebsd-bugs@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org >Number: 37813 >Category: bin >Synopsis: [PATCH]: Bug in Multilink PPP reassembly: mp_Assemble() >Confidential: no >Severity: serious >Priority: medium >Responsible: freebsd-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: sw-bug >Submitter-Id: current-users >Arrival-Date: Mon May 06 21:50:01 PDT 2002 >Closed-Date: >Last-Modified: >Originator: Amit K. Rao >Release: current >Organization: NIKSUN Inc. >Environment: freebsd 4.2-RELEASE upto CURRENT >Description: Could you please glance at the following patch to HEAD and see if it actually is a bug. During multilink PPP reassembly in src/usr.sbin/ppp/mp.c,v 1.49 : mp_Assemble(), when you put the fragment back at the front of the queue, don't you need to fix the offset back so that you can continue to readHeader() from the fragment the next time around? i.e.: --- mp-current.c Tue May 7 00:18:37 2002 +++ mp.c Tue May 7 00:17:22 2002 @@ -558,6 +558,8 @@ * Stuff our fragment back at the front of the queue and zap * our half-assembed packet. */ + (*frag)->m_offset -= len; + (*frag)->m_len += len; (*frag)->m_nextpkt = mp->inbufs; mp->inbufs = *frag; *frag = NULL; >How-To-Repeat: Occurs in rare conditions: while reassmbling a MLPPP fragment if a trailing fragment is missing. >Fix: --- mp-current.c Tue May 7 00:18:37 2002 +++ mp.c Tue May 7 00:37:35 2002 @@ -543,9 +543,6 @@ len = mp_ReadHeader(mp, *frag, &h); if (first == -1) first = h.seq; - (*frag)->m_offset += len; - (*frag)->m_len -= len; - (*frag)->m_nextpkt = NULL; if (frag == &q && !h.begin) { log_Printf(LogWARN, "Oops - MP frag %lu should have a begin flag\n", (u_long)h.seq); @@ -565,10 +562,14 @@ q = NULL; frag = &q; h.end = 0; /* just in case it's a whole packet */ - } else - do - frag = &(*frag)->m_next; - while (*frag != NULL); + } else { + (*frag)->m_offset += len; + (*frag)->m_len -= len; + (*frag)->m_nextpkt = NULL; + do + frag = &(*frag)->m_next; + while (*frag != NULL); + } } while (!h.end); if (q) { >Release-Note: >Audit-Trail: >Unformatted: To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-bugs" in the body of the message