From owner-freebsd-net Thu Jul 1 8: 2:47 1999 Delivered-To: freebsd-net@freebsd.org Received: from ausmail2.austin.ibm.com (ausmail2.austin.ibm.com [192.35.232.11]) by hub.freebsd.org (Postfix) with ESMTP id 877BB14D50 for ; Thu, 1 Jul 1999 08:02:40 -0700 (PDT) (envelope-from venkats@austin.ibm.com) Received: from netmail.austin.ibm.com (netmail.austin.ibm.com [9.53.250.98]) by ausmail2.austin.ibm.com (8.9.1/8.8.5) with ESMTP id JAA74388 for ; Thu, 1 Jul 1999 09:58:42 -0500 Received: from ambika.austin.ibm.com (ambika.austin.ibm.com [9.53.150.77]) by netmail.austin.ibm.com (8.8.5/8.8.5) with ESMTP id KAA42930; Thu, 1 Jul 1999 10:02:38 -0500 Received: from austin.ibm.com (localhost.austin.ibm.com [127.0.0.1]) by ambika.austin.ibm.com (AIX4.3/UCB 8.8.8/8.7-client1.01) with ESMTP id KAA21874; Thu, 1 Jul 1999 10:02:37 -0500 Message-ID: <377B830C.EE4A82E7@austin.ibm.com> Date: Thu, 01 Jul 1999 10:02:36 -0500 From: venkat venkatsubra Organization: IBM X-Mailer: Mozilla 4.06 [en] (X11; I; AIX 4.3) MIME-Version: 1.0 To: Witman Peng Cc: freebsd-net@FreeBSD.ORG, freebsd-bugs@FreeBSD.ORG Subject: Re: IP reassemble fails if it contains more that 20 bytes options? References: <000101bec374$30e06eb0$010000c8@heart.witman.com> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-net@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Witman, Isn't this taken care of early in ipintr ? -------------------------- if (hlen > m->m_len) { if ((m = m_pullup(m, hlen)) == 0) { ipstat.ips_badhlen++; goto next; } ip = mtod(m, struct ip *); } --------------------------- Venkat Witman Peng wrote: > Hi, All > > I am developing an application based on 4.4BSD-Lite source code. When I port > the code in file netinet/ip_input.c, I found a problem. But I have no chance > to install FreeBSD and test it, so I am not sure whether it'a bug or not. > The following are the code to reassemble the IP fragments from ip_input.c: > > >From routine ipintr: > if (ip->ip_off &~ IP_DF) { > if (m->m_flags & M_EXT) { /* XXX */ > if ((m = m_pullup(m, sizeof (struct ip))) == 0) { > ipstat.ips_toosmall++; > goto next; > } > ip = mtod(m, struct ip *); > } > > >From routine ip_reass: > int hlen = ip->ip_hl << 2; > int i, next; > > m->m_data += hlen; > m->m_len -= hlen; > > Suppose a fragment with more that 208 bytes and 40 bytes IP option, it will > be stored in the cluster but not mbuf. In routine ipintr, function pullup > just pullup sizeof(struct ip) (maybe 40 bytes for tcp header) bytes into a > new mbuf. However, the IP header is 60 (20 + 40) bytes, so the complete IP > header cannot be stored in this mbuf. Then in routine ip_reass, after run > the above code, m->m_data will pointer to an incorrect address. > > Dose it seems right? Any inputs would be apprecaited. > > BR, > Witman Peng > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-net" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message