Date: Sun, 25 Oct 1998 12:16:05 +0000 (GMT) From: Doug Rabson <dfr@nlsystems.com> To: Don Lewis <Don.Lewis@tsc.tdk.com> Cc: Kris Kennaway <kkennawa@physics.adelaide.edu.au>, wollman@khavrinen.lcs.mit.edu, current@FreeBSD.ORG Subject: Re: nestea v2 against freebsd 3.0-Release (fwd) Message-ID: <Pine.BSF.4.01.9810251214110.366-100000@herring.nlsystems.com> In-Reply-To: <199810250923.BAA25064@salsa.gv.tsc.tdk.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Sun, 25 Oct 1998, Don Lewis wrote:
> Ok, I figured out what's going on. When I compiled the nestea2.c under
> FreeBSD, it didn't run at all because rip_output() does some sanity
> checking between ip_len in the packet and the actual packet length, so
> it doesn't send the third fragment and causes sendto() to return
> EINVAL. The Linux emulation code in the kernel is kind enough to fix
> ip_len, so the sanity check passes. Even after I fixed this in
> nestea2.c, running it still didn't cause the system to panic. The
> reason for this is some differences in byte swapping in the IP header
> fields between Linux and FreeBSD that nestea2.c attempted to compensate
> for, but didn't get right. Once I fixed the byte swapping problem, I
> got the same panic you did, except for the linux emulation which I was
> not using.
>
> The panic is caused by a bug in the new ip fragment reassembly code
> that can be provoked into playing with an mbuf after it has been freed.
> Here's a patch.
>
> --- ip_input.c.orig Fri Oct 23 02:17:19 1998
> +++ ip_input.c Sun Oct 25 01:50:20 1998
> @@ -750,7 +750,7 @@
> * if they are completely covered, dequeue them.
> */
> for (; q != NULL && ip->ip_off + ip->ip_len > GETIP(q)->ip_off;
> - p = q, q = nq) {
> + q = nq) {
> i = (ip->ip_off + ip->ip_len) -
> GETIP(q)->ip_off;
> if (i < GETIP(q)->ip_len) {
>
I don't understand how this patch works. Won't it end up using the wrong
value for 'p' later on in the loop? Could you explain which mbuf is being
used after its freed and in what circumstances.
--
Doug Rabson Mail: dfr@nlsystems.com
Nonlinear Systems Ltd. Phone: +44 181 951 1891
Fax: +44 181 381 1039
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-current" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.4.01.9810251214110.366-100000>