From owner-freebsd-net@FreeBSD.ORG  Sun Jan 11 19:47:35 2004
Return-Path: <owner-freebsd-net@FreeBSD.ORG>
Delivered-To: freebsd-net@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP
	id 6DE2116A4CE; Sun, 11 Jan 2004 19:47:35 -0800 (PST)
Received: from sizone.org (mortar.sizone.org [65.126.154.242])
	by mx1.FreeBSD.org (Postfix) with ESMTP
	id EAB5C43D31; Sun, 11 Jan 2004 19:47:32 -0800 (PST)
	(envelope-from dgilbert@daveg.ca)
Received: by sizone.org (Postfix, from userid 66)
	id 31F1C307C6; Sun, 11 Jan 2004 22:47:32 -0500 (EST)
Received: by canoe.dclg.ca (Postfix, from userid 101)
	id 6102D1D1FFC; Sun, 11 Jan 2004 22:40:03 -0500 (EST)
From: David Gilbert <dgilbert@dclg.ca>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Message-ID: <16386.5907.94237.791025@canoe.dclg.ca>
Date: Sun, 11 Jan 2004 22:40:03 -0500
To: Andre Oppermann <andre@freebsd.org>
In-Reply-To: <40008FCD.90525A33@freebsd.org>
References: <16384.14322.83258.940369@canoe.dclg.ca>
	<40008783.330FAFF4@freebsd.org>
	<40008FCD.90525A33@freebsd.org>
X-Mailer: VM 7.17 under 21.4 (patch 14) "Reasonable Discussion" XEmacs Lucid
cc: freebsd-net@freebsd.org
cc: freebsd-current@freebsd.org
cc: David Gilbert <dgilbert@dclg.ca>
Subject: Re: off-by-one error in ip_fragment, recently.
X-BeenThere: freebsd-net@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
List-Id: Networking and TCP/IP with FreeBSD <freebsd-net.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-net>,
	<mailto:freebsd-net-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-net>
List-Post: <mailto:freebsd-net@freebsd.org>
List-Help: <mailto:freebsd-net-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-net>,
	<mailto:freebsd-net-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Mon, 12 Jan 2004 03:47:35 -0000

Further in followup to the ip_fragment() bug, at the crash, off =
1500, len = 1480 and ip->ip_len = 21248.  So m_copym() is being called
with off > len.

Dave.

-- 
============================================================================
|David Gilbert, Independent Contractor.       | Two things can only be     |
|Mail:       dave@daveg.ca                    |  equal if and only if they |
|http://daveg.ca                              |   are precisely opposite.  |
=========================================================GLO================