Skip site navigation (1)Skip section navigation (2)
Date:      Thu, 01 Jul 1999 10:02:36 -0500
From:      venkat venkatsubra <venkats@austin.ibm.com>
To:        Witman Peng <witman@iname.com>
Cc:        freebsd-net@FreeBSD.ORG, freebsd-bugs@FreeBSD.ORG
Subject:   Re: IP reassemble fails if it contains more that 20 bytes options?
Message-ID:  <377B830C.EE4A82E7@austin.ibm.com>
References:  <000101bec374$30e06eb0$010000c8@heart.witman.com>

Next in thread | Previous in thread | Raw E-Mail | Index | Archive | Help
Witman,
       Isn't  this taken care of early in ipintr ?
--------------------------
if (hlen > m->m_len) {
                if ((m = m_pullup(m, hlen)) == 0) {
                        ipstat.ips_badhlen++;
                        goto next;
                }
                ip = mtod(m, struct ip *);
        }
---------------------------

Venkat

Witman Peng wrote:

> Hi, All
>
> I am developing an application based on 4.4BSD-Lite source code. When I port
> the code in file netinet/ip_input.c, I found a problem. But I have no chance
> to install FreeBSD and test it, so I am not sure whether it'a bug or not.
> The following are the code to reassemble the IP fragments from ip_input.c:
>
> >From routine ipintr:
>     if (ip->ip_off &~ IP_DF) {
>           if (m->m_flags & M_EXT) {  /* XXX */
>                if ((m = m_pullup(m, sizeof (struct ip))) == 0) {
>                     ipstat.ips_toosmall++;
>                     goto next;
>                }
>                ip = mtod(m, struct ip *);
>           }
>
> >From routine ip_reass:
>         int hlen = ip->ip_hl << 2;
>         int i, next;
>
>         m->m_data += hlen;
>         m->m_len -= hlen;
>
> Suppose a fragment with more that 208 bytes and 40 bytes IP option, it will
> be stored in the cluster but not mbuf. In routine ipintr, function pullup
> just pullup sizeof(struct ip) (maybe 40 bytes for tcp header) bytes into a
> new mbuf. However, the IP header is 60 (20 + 40) bytes, so the complete IP
> header cannot be stored in this mbuf. Then in routine ip_reass, after run
> the above code, m->m_data will pointer to an incorrect address.
>
> Dose it seems right? Any inputs would be apprecaited.
>
> BR,
> Witman Peng
>
> To Unsubscribe: send mail to majordomo@FreeBSD.org
> with "unsubscribe freebsd-net" in the body of the message



To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-bugs" in the body of the message




Want to link to this message? Use this URL: <http://docs.FreeBSD.org/cgi/mid.cgi?377B830C.EE4A82E7>