From owner-freebsd-bugs Sat Apr 21 8:40:19 2001 Delivered-To: freebsd-bugs@hub.freebsd.org Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21]) by hub.freebsd.org (Postfix) with ESMTP id A751737B423 for ; Sat, 21 Apr 2001 08:40:07 -0700 (PDT) (envelope-from gnats@FreeBSD.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.11.1/8.11.1) id f3LFe7H57959; Sat, 21 Apr 2001 08:40:07 -0700 (PDT) (envelope-from gnats) Date: Sat, 21 Apr 2001 08:40:07 -0700 (PDT) Message-Id: <200104211540.f3LFe7H57959@freefall.freebsd.org> To: freebsd-bugs@FreeBSD.org Cc: From: Stas Kisel Subject: Re: kern/24608: FreeBSD 4.2 Panics in Realtek rl driver Reply-To: Stas Kisel Sender: owner-freebsd-bugs@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org The following reply was made to PR kern/24608; it has been noted by GNATS. From: Stas Kisel To: freebsd-gnats-submit@FreeBSD.org Cc: Subject: Re: kern/24608: FreeBSD 4.2 Panics in Realtek rl driver Date: Sat, 21 Apr 2001 18:39:45 +0300 Thank you, it looks like this patch fixes problem. My router did not experiense panic since I've applied patch (more than week ago). \bye Stas On Thu, Apr 12, 2001 at 04:33:11PM +0100, Ian Dowse wrote: > > This looks like the symptoms of the icmp_error problem that was > fixed recently. This bug caused the two upper bytes of mh_next to > get swapped, i.e. 0xc05a8d00->0x5ac08d00. Try either updating to > a more recent -stable, or apply the following patch in > /usr/src/sys/netinet: > > Ian > > --- ip_icmp.c 2001/02/23 20:51:46 1.53 > +++ ip_icmp.c 2001/03/08 19:03:26 1.54 > @@ -164,6 +164,8 @@ > if (m == NULL) > goto freeit; > icmplen = min(oiplen + 8, oip->ip_len); > + if (icmplen < sizeof(struct ip)) > + panic("icmp_error: bad length"); > m->m_len = icmplen + ICMP_MINLEN; > MH_ALIGN(m, m->m_len); > icp = mtod(m, struct icmp *); > @@ -189,7 +191,7 @@ > } > > icp->icmp_code = code; > - bcopy((caddr_t)oip, (caddr_t)&icp->icmp_ip, icmplen); > + m_copydata(n, 0, icmplen, (caddr_t)&icp->icmp_ip); > nip = &icp->icmp_ip; > > /* > --- ip_input.c 2001/03/05 22:40:27 1.161 > +++ ip_input.c 2001/03/08 19:03:26 1.162 > @@ -1563,12 +1563,21 @@ > } > > /* > - * Save at most 64 bytes of the packet in case > - * we need to generate an ICMP message to the src. > - */ > - mcopy = m_copy(m, 0, imin((int)ip->ip_len, 64)); > - if (mcopy && (mcopy->m_flags & M_EXT)) > - m_copydata(mcopy, 0, sizeof(struct ip), mtod(mcopy, caddr_t)); > + * Save the IP header and at most 8 bytes of the payload, > + * in case we need to generate an ICMP message to the src. > + * > + * We don't use m_copy() because it might return a reference > + * to a shared cluster. Both this function and ip_output() > + * assume exclusive access to the IP header in `m', so any > + * data in a cluster may change before we reach icmp_error(). > + */ > + MGET(mcopy, M_DONTWAIT, m->m_type); > + if (mcopy != NULL) { > + M_COPY_PKTHDR(mcopy, m); > + mcopy->m_len = imin((IP_VHL_HL(ip->ip_vhl) << 2) + 8, > + (int)ip->ip_len); > + m_copydata(m, 0, mcopy->m_len, mtod(mcopy, caddr_t)); > + } > > #ifdef IPSTEALTH > if (!ipstealth) { > @@ -1715,8 +1724,6 @@ > m_freem(mcopy); > return; > } > - if (mcopy->m_flags & M_EXT) > - m_copyback(mcopy, 0, sizeof(struct ip), mtod(mcopy, caddr_t)); > icmp_error(mcopy, type, code, dest, destifp); > } > > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-bugs" in the body of the message