Date: Fri, 2 Jul 1999 10:42:05 +0800 From: "Witman Peng" <witman@iname.com> To: "venkat venkatsubra" <venkats@austin.ibm.com> Cc: <freebsd-net@FreeBSD.ORG>, <freebsd-bugs@FreeBSD.ORG> Subject: Re: IP reassemble fails if it contains more that 20 bytes options? Message-ID: <008f01bec434$82154c90$010000c8@heart.witman.com>
next in thread | raw e-mail | index | archive | help
But if this packet is stored in a cluster, hlen is always less than m->len
(which is greater that 207). So the following code will never be run.
BR
Witman Peng
-----Original Message-----
From: venkat venkatsubra <venkats@austin.ibm.com>
To: Witman Peng <witman@iname.com>
Cc: freebsd-net@FreeBSD.ORG <freebsd-net@FreeBSD.ORG>;
freebsd-bugs@FreeBSD.ORG <freebsd-bugs@FreeBSD.ORG>
Date: 1999?7?1? 22:00
Subject: Re: IP reassemble fails if it contains more that 20 bytes options?
>Witman,
> Isn't this taken care of early in ipintr ?
>--------------------------
>if (hlen > m->m_len) {
> if ((m = m_pullup(m, hlen)) == 0) {
> ipstat.ips_badhlen++;
> goto next;
> }
> ip = mtod(m, struct ip *);
> }
>---------------------------
>
>Venkat
>
>Witman Peng wrote:
>
>> Hi, All
>>
>> I am developing an application based on 4.4BSD-Lite source code. When I
port
>> the code in file netinet/ip_input.c, I found a problem. But I have no
chance
>> to install FreeBSD and test it, so I am not sure whether it'a bug or not.
>> The following are the code to reassemble the IP fragments from
ip_input.c:
>>
>> >From routine ipintr:
>> if (ip->ip_off &~ IP_DF) {
>> if (m->m_flags & M_EXT) { /* XXX */
>> if ((m = m_pullup(m, sizeof (struct ip))) == 0) {
>> ipstat.ips_toosmall++;
>> goto next;
>> }
>> ip = mtod(m, struct ip *);
>> }
>>
>> >From routine ip_reass:
>> int hlen = ip->ip_hl << 2;
>> int i, next;
>>
>> m->m_data += hlen;
>> m->m_len -= hlen;
>>
>> Suppose a fragment with more that 208 bytes and 40 bytes IP option, it
will
>> be stored in the cluster but not mbuf. In routine ipintr, function pullup
>> just pullup sizeof(struct ip) (maybe 40 bytes for tcp header) bytes into
a
>> new mbuf. However, the IP header is 60 (20 + 40) bytes, so the complete
IP
>> header cannot be stored in this mbuf. Then in routine ip_reass, after run
>> the above code, m->m_data will pointer to an incorrect address.
>>
>> Dose it seems right? Any inputs would be apprecaited.
>>
>> BR,
>> Witman Peng
>>
>> To Unsubscribe: send mail to majordomo@FreeBSD.org
>> with "unsubscribe freebsd-net" in the body of the message
>
>
>
>To Unsubscribe: send mail to majordomo@FreeBSD.org
>with "unsubscribe freebsd-net" in the body of the message
>
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-net" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?008f01bec434$82154c90$010000c8>