From owner-freebsd-current@FreeBSD.ORG Wed Jan 14 06:50:51 2004 Return-Path: Delivered-To: freebsd-current@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id DA2AA16A4D0 for ; Wed, 14 Jan 2004 06:50:51 -0800 (PST) Received: from mailtoaster1.pipeline.ch (mailtoaster1.pipeline.ch [62.48.0.70]) by mx1.FreeBSD.org (Postfix) with ESMTP id 989BD43D5E for ; Wed, 14 Jan 2004 06:50:44 -0800 (PST) (envelope-from andre@freebsd.org) Received: (qmail 22440 invoked from network); 14 Jan 2004 14:50:43 -0000 Received: from unknown (HELO freebsd.org) ([62.48.0.47]) (envelope-sender ) by mailtoaster1.pipeline.ch (qmail-ldap-1.03) with SMTP for ; 14 Jan 2004 14:50:43 -0000 Message-ID: <40055744.5030607@freebsd.org> Date: Wed, 14 Jan 2004 15:50:44 +0100 From: Andre Oppermann User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.6b) Gecko/20031208 X-Accept-Language: en-us, en MIME-Version: 1.0 To: dgilbert@dclg.ca Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit cc: freebsd-net@freebsd.org cc: freebsd-gnats-submit@FreeBSD.org cc: freebsd-current@freebsd.org Subject: Re: kern/61215: off-by-one error likely in ip_fragment() X-BeenThere: freebsd-current@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Discussions about the use of FreeBSD-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 14 Jan 2004 14:50:52 -0000 David, the problem with if_gre is actually twofold: - the change of htons(m->m_pkthdr.len) in the last commit to that file is incorrect. In FreeBSD this is done in ip_output for all packets sent (unless RAW). - The struct ip which is contained in struct gh is not correctly intialized. For some reason this didn't matter until now. It seems M_PREPREND may return non-zeroed memory. There is no problem in either ip_fragment() nor m_copym() (and the 'fix' I posted is bogus, however some of those KASSERTs are highly bogus too and misleading). Please try the attached patch. I was able to get correct GRE packets with that patch (as seen by ethereal). I'm not sure if it is better to do a bzero() on the entire struct gh to have all ip header values set to zero for sure. There are still some that are unitialized. -- Andre Index: if_gre.c =================================================================== RCS file: /home/ncvs/src/sys/net/if_gre.c,v retrieving revision 1.17 diff -u -p -r1.17 if_gre.c --- if_gre.c 30 Dec 2003 11:41:42 -0000 1.17 +++ if_gre.c 14 Jan 2004 14:40:09 -0000 @@ -341,7 +341,7 @@ gre_output(struct ifnet *ifp, struct mbu goto end; } - if (m == NULL) { /* impossible */ + if (m == NULL) { /* mbuf allocation failed */ _IF_DROP(&ifp->if_snd); error = ENOBUFS; goto end; @@ -363,13 +363,14 @@ gre_output(struct ifnet *ifp, struct mbu ((struct ip*)gh)->ip_ttl = GRE_TTL; ((struct ip*)gh)->ip_tos = ip->ip_tos; ((struct ip*)gh)->ip_id = ip->ip_id; - gh->gi_len = htons(m->m_pkthdr.len); + ((struct ip*)gh)->ip_off = 0; + gh->gi_len = m->m_pkthdr.len; } ifp->if_opackets++; ifp->if_obytes += m->m_pkthdr.len; /* send it off */ - error = ip_output(m, NULL, &sc->route, 0, + error = ip_output(m, NULL, &sc->route, IP_FORWARDING, (struct ip_moptions *)NULL, (struct inpcb *)NULL); end: sc->called = 0;