From owner-freebsd-net@FreeBSD.ORG Sun Jan 11 21:10:48 2004 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 1A10916A4E0; Sun, 11 Jan 2004 21:10:48 -0800 (PST) Received: from sizone.org (mortar.sizone.org [65.126.154.242]) by mx1.FreeBSD.org (Postfix) with ESMTP id E9B0743D4C; Sun, 11 Jan 2004 21:10:46 -0800 (PST) (envelope-from dgilbert@daveg.ca) Received: by sizone.org (Postfix, from userid 66) id 2624230795; Mon, 12 Jan 2004 00:10:46 -0500 (EST) Received: by canoe.dclg.ca (Postfix, from userid 101) id 1256B1D1FB8; Mon, 12 Jan 2004 00:10:44 -0500 (EST) From: David Gilbert MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Message-ID: <16386.11347.853356.826784@canoe.dclg.ca> Date: Mon, 12 Jan 2004 00:10:43 -0500 To: Andre Oppermann In-Reply-To: <40008FCD.90525A33@freebsd.org> References: <16384.14322.83258.940369@canoe.dclg.ca> <40008783.330FAFF4@freebsd.org> <40008FCD.90525A33@freebsd.org> X-Mailer: VM 7.17 under 21.4 (patch 14) "Reasonable Discussion" XEmacs Lucid cc: freebsd-net@freebsd.org cc: freebsd-current@freebsd.org cc: David Gilbert Subject: Re: off-by-one error in ip_fragment, recently. X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 12 Jan 2004 05:10:48 -0000 One more update before I go to bed. On major change in if_gre.c has been to change gh->gi_len = m->m_pkthdr.len; to gh->gi_len = htons(m->m_pkthdr.len); ... which is a fairly semantic change. Now ip_output() is called immediately after that ... and ip_output seems to expect the length in the packet to still be host order because it has: if ((ifp->if_snd.ifq_len + ip->ip_len / ifp->if_mtu + 1) >= as one of the first things that are done with ip->ip_len... or am I mussing that up? ip_output then goes on to call htons() on ip->ip_len many more times, and I'm too tired to track it reliably. But, if I revert the change in if_gre.c, the kernel doesn't crash ... but the gre tunnel also doesn't work. It would appear the byte swap happens a few more times before ip_fragment(). But... what I do know is that in the -CURRENT code, the values that arrive in ip->ip_len in ip_fragment() from the gre tunnel are the byteswapped values from m->m_pkthdr.len above. ... which makes me wonder if this is a showstopper ... that ip_fragment() is broken in some general way. Dave. -- ============================================================================ |David Gilbert, Independent Contractor. | Two things can only be | |Mail: dave@daveg.ca | equal if and only if they | |http://daveg.ca | are precisely opposite. | =========================================================GLO================