From owner-freebsd-isdn  Tue Nov  2 13:49:27 1999
Delivered-To: freebsd-isdn@freebsd.org
Received: from peedub.muc.de (peedub.muc.de [193.149.49.109])
	by hub.freebsd.org (Postfix) with ESMTP id E8EA31545A
	for <freebsd-isdn@freebsd.org>; Tue,  2 Nov 1999 13:49:10 -0800 (PST)
	(envelope-from garyj@peedub.muc.de)
Received: from peedub.muc.de (localhost [127.0.0.1]) by peedub.muc.de (8.9.3/8.6.9) with ESMTP id WAA08143; Tue, 2 Nov 1999 22:48:03 +0100 (CET)
Message-Id: <199911022148.WAA08143@peedub.muc.de>
X-Mailer: exmh version 2.1.0 09/18/1999
To: mranner@netway.at
Cc: freebsd-isdn@freebsd.org
Subject: Re: a little bit more from the dump 
Reply-To: Gary Jennejohn <garyj@muc.de>
In-reply-to: Your message of "Tue, 02 Nov 1999 16:00:36 +0100."
             <XFMail.991102160036.mranner@netway.at> 
Mime-Version: 1.0
Content-Type: text/plain; charset=iso-8859-1
Mime-Version: 1.0
Content-Transfer-Encoding: quoted-printable
Date: Tue, 02 Nov 1999 22:48:03 +0100
From: Gary Jennejohn <garyj@peedub.muc.de>
Sender: owner-freebsd-isdn@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

Michael Ranner writes:
>
>(kgdb) where
>#0  boot (howto=3D256) at ../../kern/kern_shutdown.c:285
>#1  0xc015b310 in at_shutdown (
>    function=3D0xc021fef2 <__set_sysinit_set_sym_memdev_sys_init+1050>, =
arg=3D0x0,
>    queue=3D-1071470832) at ../../kern/kern_shutdown.c:446
>#2  0xc01e1b81 in trap_fatal (frame=3D0xc022a710, eva=3D3227291648)
>    at ../../i386/i386/trap.c:942
>#3  0xc01e185f in trap_pfault (frame=3D0xc022a710, usermode=3D0, eva=3D3=
227291648)
>    at ../../i386/i386/trap.c:835
>#4  0xc01e1502 in trap (frame=3D{tf_es =3D 16, tf_ds =3D 16, tf_edi =3D =
28,
>      tf_esi =3D 28, tf_ebp =3D -1071470748, tf_isp =3D -1071470792,
>      tf_ebx =3D -219231232, tf_edx =3D 14402, tf_ecx =3D 14, tf_eax =3D=
 -1067675648,
>      tf_trapno =3D 12, tf_err =3D 0, tf_eip =3D -1072395457, tf_cs =3D =
8,
>      tf_eflags =3D 66198, tf_esp =3D 28, tf_ss =3D -1071240252})
>    at ../../i386/i386/trap.c:437
>#5  0xc0148b3f in do_component (length=3D28)
>    at ../../i4b/layer3/i4b_q932fac.c:254
>#6  0xc0148b87 in do_component (length=3D30)
>    at ../../i4b/layer3/i4b_q932fac.c:273
>#7  0xc01489ef in i4b_aoc (
>    buf=3D0xc05c5808 "\034\037\221=A1\034\002\001[\002\001!0\024=A1\017\=
201\003ATS=A2\b\
>201\003", cd=3D0xc0262bc4) at ../../i4b/layer3/i4
>b_q932fac.c:138
>#8  0xc01455c8 in i4b_decode_q931_cs0_ie (unit=3D0, cd=3D0xc0262bc4, msg=
_len=3D30,
>    msg_ptr=3D0xc05c5808 "\034\037\221=A1\034\002\001[\002\001!0\024=A1\=
017\201\003ATS
>=A2\b\201\003") at ../../i4b/layer3/i4b_q931.c:41
>6
>#9  0xc0144c82 in i4b_decode_q931 (unit=3D0, msg_len=3D34,
>    msg_ptr=3D0xc05c5804 "\b\001=F9b\034\037\221=A1\034\002\001[\002\001=
!0\024=A1\017\20
>1\003ATS=A2\b\201\003") at ../../i4b/layer3/i4b_q
>931.c:236
>#10 0xc0147c71 in i4b_dl_data_ind (unit=3D0, m=3D0xc05bdc00)
>    at ../../i4b/layer3/i4b_l2if.c:318
>#11 0xc0143fb3 in i4b_rxd_i_frame (unit=3D0, m=3D0xc05bdc00)
>    at ../../i4b/layer2/i4b_iframe.c:134
>#12 0xc014148b in i4b_ph_data_ind (unit=3D0, m=3D0xc05bdc00)
>    at ../../i4b/layer2/i4b_l2.c:370
>#13 0xc01ffdb3 in isic_isac_irq (sc=3D0xc02693a4, ista=3D128)
>    at ../../i4b/layer1/i4b_isac.c:189
>#14 0xc01fe9c9 in isicintr (unit=3D0) at ../../i4b/layer1/i4b_isic.c:208=

>#15 0xc01fe8f5 in isicintr_sc (sc=3D0xc02693a4)
>    at ../../i4b/layer1/i4b_isic.c:152
>#16 0xc0203328 in avma1pp_intr (sc=3D0xc02693a4)
>    at ../../i4b/layer1/i4b_avm_fritz_pci.c:1282
>#17 0xc014eea6 in intr_mux (arg=3D0xc082ef00) at ../../kern/kern_intr.c:=
99
>
>(kgdb) list
>268             /* third component element: component contents */
>269             /*---------------------------------------------*/
>270
>271             if(comp_tag_form)       /* =3D=3D constructor */
>272             {
>273                     do_component(comp_length);
>274             }
>275             else
>276             {
>277                     int val =3D 0;
>(kgdb) down =

>#5  0xc0148b3f in do_component (length=3D28)
>    at ../../i4b/layer3/i4b_q932fac.c:254
>254                             comp_length +=3D (*byte_buf * (i*256));
>(kgdb) list
>249                     byte_len +=3D i;
>250
>251                     for(;i > 0;i++)
>252                     {
>253                             byte_buf++;
>254                             comp_length +=3D (*byte_buf * (i*256));
>255                     }
>256             }
>257             else
>258             { =

>(kgdb) print i
>$8 =3D 0
>(kgdb) print byte_len
>$9 =3D 134
>(kgdb) print byte_buf
>$10 =3D (unsigned char *) 0xc05c9000 <Address 0xc05c9000 out of bounds>
>

oh my God, it's recursive ! The panic is evidently triggered by receipt
of AOCD info from the telephone company. The actual length of the packet
was 31 bytes (if I read do_component correctly), but at the time of the
panic it was up to 134 :-(, way beyond the end of the buffer.

I think the only person who even remotely understands this code is Hellmu=
th,
since he wrote it.

It might help if you could convince gdb to output in hex rather than
octal. That would allow one to check whether the packet contents are
reasonable (I don't know, I know nothing at all about what an AOCD
packet should contain).

You could try not using AOCD in isdnd.rc, I suppose. That might help.
But the kernel will probably still try to parse the packets.

A very interesting bug. I wonder why it suddenly shows up now.

Hellmuth !!! ;-)

---
Gary Jennejohn
Home - garyj@muc.de
Work - garyj@fkr.cpqcorp.net




To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-isdn" in the body of the message