Date: Mon, 6 May 2002 21:42:47 -0700 (PDT) From: "Amit K. Rao" <arao@niksun.com> To: freebsd-gnats-submit@FreeBSD.org Subject: bin/37813: [PATCH]: Bug in Multilink PPP reassembly: mp_Assemble() Message-ID: <200205070442.g474gliD055287@nwww.freebsd.org>
next in thread | raw e-mail | index | archive | help
>Number: 37813
>Category: bin
>Synopsis: [PATCH]: Bug in Multilink PPP reassembly: mp_Assemble()
>Confidential: no
>Severity: serious
>Priority: medium
>Responsible: freebsd-bugs
>State: open
>Quarter:
>Keywords:
>Date-Required:
>Class: sw-bug
>Submitter-Id: current-users
>Arrival-Date: Mon May 06 21:50:01 PDT 2002
>Closed-Date:
>Last-Modified:
>Originator: Amit K. Rao
>Release: current
>Organization:
NIKSUN Inc.
>Environment:
freebsd 4.2-RELEASE upto CURRENT
>Description:
Could you please glance at the following patch to HEAD and see if it actually is a bug. During multilink PPP reassembly in src/usr.sbin/ppp/mp.c,v 1.49 : mp_Assemble(), when you put the fragment back at the front of the queue, don't you need to fix the offset back so that you can continue to readHeader() from the fragment the next time around?
i.e.:
--- mp-current.c Tue May 7 00:18:37 2002
+++ mp.c Tue May 7 00:17:22 2002
@@ -558,6 +558,8 @@
* Stuff our fragment back at the front of the queue and zap
* our half-assembed packet.
*/
+ (*frag)->m_offset -= len;
+ (*frag)->m_len += len;
(*frag)->m_nextpkt = mp->inbufs;
mp->inbufs = *frag;
*frag = NULL;
>How-To-Repeat:
Occurs in rare conditions: while reassmbling a MLPPP fragment if a trailing fragment is missing.
>Fix:
--- mp-current.c Tue May 7 00:18:37 2002
+++ mp.c Tue May 7 00:37:35 2002
@@ -543,9 +543,6 @@
len = mp_ReadHeader(mp, *frag, &h);
if (first == -1)
first = h.seq;
- (*frag)->m_offset += len;
- (*frag)->m_len -= len;
- (*frag)->m_nextpkt = NULL;
if (frag == &q && !h.begin) {
log_Printf(LogWARN, "Oops - MP frag %lu should have a begin flag\n",
(u_long)h.seq);
@@ -565,10 +562,14 @@
q = NULL;
frag = &q;
h.end = 0; /* just in case it's a whole packet */
- } else
- do
- frag = &(*frag)->m_next;
- while (*frag != NULL);
+ } else {
+ (*frag)->m_offset += len;
+ (*frag)->m_len -= len;
+ (*frag)->m_nextpkt = NULL;
+ do
+ frag = &(*frag)->m_next;
+ while (*frag != NULL);
+ }
} while (!h.end);
if (q) {
>Release-Note:
>Audit-Trail:
>Unformatted:
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-bugs" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200205070442.g474gliD055287>