From nobody Sat Feb 01 02:25:58 2025
X-Original-To: freebsd-questions@mlmmj.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
	by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4YlGpW0fqdz5mP94
	for <freebsd-questions@mlmmj.nyi.freebsd.org>; Sat, 01 Feb 2025 02:26:11 +0000 (UTC)
	(envelope-from y.jaeyong@gmail.com)
Received: from mail-vk1-xa31.google.com (mail-vk1-xa31.google.com [IPv6:2607:f8b0:4864:20::a31])
	(using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256
	 client-signature RSA-PSS (2048 bits) client-digest SHA256)
	(Client CN "smtp.gmail.com", Issuer "WR4" (verified OK))
	by mx1.freebsd.org (Postfix) with ESMTPS id 4YlGpV2lLVz3LSB
	for <freebsd-questions@freebsd.org>; Sat, 01 Feb 2025 02:26:10 +0000 (UTC)
	(envelope-from y.jaeyong@gmail.com)
Authentication-Results: mx1.freebsd.org;
	dkim=pass header.d=gmail.com header.s=20230601 header.b=g0rlPZa+;
	spf=pass (mx1.freebsd.org: domain of y.jaeyong@gmail.com designates 2607:f8b0:4864:20::a31 as permitted sender) smtp.mailfrom=y.jaeyong@gmail.com;
	dmarc=pass (policy=none) header.from=gmail.com
Received: by mail-vk1-xa31.google.com with SMTP id 71dfb90a1353d-51889930cb1so807451e0c.0
        for <freebsd-questions@freebsd.org>; Fri, 31 Jan 2025 18:26:10 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20230601; t=1738376769; x=1738981569; darn=freebsd.org;
        h=to:subject:message-id:date:from:mime-version:from:to:cc:subject
         :date:message-id:reply-to;
        bh=3i0l455SuMlaxZI+Tr/EwkkOahC5ABE5QOFQVT4Ckyo=;
        b=g0rlPZa+7g3pj62WuBf23Rq/aj4Znaio1w7y00frNVjGsA6zffSq244RSTQGjignkt
         uF6ODob/GgCDeUShi7ZKd6gE/+zy9xco7wVS6C+zEshtOjtXnpHTlUUjf33hEJQPzvbi
         VBuOVBu1D4Qz3yB693jhkYl3OT8PIAsNDc50Tkp2Q/dPQLCoV388jCAcAUq10K93QB0Z
         kQ9LzSl4eueT8HC6X5a5AySqGEBdZa/tLgcG0luLNRlXic0fZLS51ksvlKzAmj4Ec9ln
         tOFZj5UFDt11wnHFw7sinpQS2FNhS/IQ6YtlOdezRbB1gHU4esWEy/zu23Sp0gFhqIdQ
         ET9g==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1738376769; x=1738981569;
        h=to:subject:message-id:date:from:mime-version:x-gm-message-state
         :from:to:cc:subject:date:message-id:reply-to;
        bh=3i0l455SuMlaxZI+Tr/EwkkOahC5ABE5QOFQVT4Ckyo=;
        b=hez4wvw+fhocWgykGz+x7X9t4g58EbqYly6QrOj/cjvgXD3ar9z2DoTfk8gIqBrE3F
         ZIJF6gLG0WvQinJvazRyOGgz9v3CG+FX0oqQrhvBEK4tvvMxunSaEqvkLAcwhG8Cmt5Z
         xE5eS9+TFWm8RtRU5UwASWXMUy6wFwgSpDTbtiegoekXDP38kZeUtrOoxNUdC0e9Czup
         wD53ri5mpz7NIJMOt4wzv2pqFF2eFvD2RhcFMflkQuZP59Jjmfdbe/2zhfPJZVw8tE3O
         S3yZQBcabJ9WSVP4NEBOpc9RlGohUJ4aZqLqi8EcI9KxRa2sPUfvojDpm/XI3jj3DLnV
         NsIA==
X-Gm-Message-State: AOJu0Yy5i3C5TQDEntKxAYy7hi1YkjBfvIJyGvbhkQXg2bCi0TPFCyMY
	qHITZtfum4fw3aUBj+Bjhu2TWReCLvFgZLW1Pcn3wZARjUO9vgoBC+ByaO8U4Ou66Zjhn1JXitu
	hRYUZdWYDtQpZCIbJwFZw/pkm5iSyeQ+4qww=
X-Gm-Gg: ASbGnctw8P/JE52kxlcnMOuFxcdEaoZL7TGFPEoQEqpoeJb++MhEYNXd/25DSe/T4L3
	/BNMrDsHWXPOGWiDU0zhwULcDdcJOat5RJksGkYvpPozvSvDrFaXryjiyGp+ljdzIEd+XBVc=
X-Google-Smtp-Source: AGHT+IGXS9HnWLxCTpS+6+hKzSkrGmr1PYsJn+wiNVWwkgAZfin0JgKWtaKV6qMoX27M6yI0vsEIdNAScqUwLH0+Bcc=
X-Received: by 2002:a05:6122:32cb:b0:516:2833:1b8d with SMTP id
 71dfb90a1353d-51e9e55db69mr12415654e0c.11.1738376769353; Fri, 31 Jan 2025
 18:26:09 -0800 (PST)
List-Id: User questions <freebsd-questions.freebsd.org>
List-Archive: https://lists.freebsd.org/archives/freebsd-questions
List-Help: <mailto:questions+help@freebsd.org>
List-Post: <mailto:questions@freebsd.org>
List-Subscribe: <mailto:questions+subscribe@freebsd.org>
List-Unsubscribe: <mailto:questions+unsubscribe@freebsd.org>
X-BeenThere: freebsd-questions@freebsd.org
Sender: owner-freebsd-questions@FreeBSD.org
MIME-Version: 1.0
From: jaeyong yoo <y.jaeyong@gmail.com>
Date: Fri, 31 Jan 2025 21:25:58 -0500
X-Gm-Features: AWEUYZnec5VIiMmhaX_p4lU2ncHL88ey0RCGn2JF53R7QEi8XVawCV_1pxQ3Bsk
Message-ID: <CANud0THSM3bpsnB0rbHeQ_MRXQFYQHebNCJ9bek46uBDHgZpww@mail.gmail.com>
Subject: Question about rack implementation for mbuf copy in fast-output
To: freebsd-questions@freebsd.org
Content-Type: multipart/alternative; boundary="000000000000d2c1d6062d0b61bb"
X-Spamd-Result: default: False [-4.00 / 15.00];
	NEURAL_HAM_LONG(-1.00)[-1.000];
	NEURAL_HAM_MEDIUM(-1.00)[-1.000];
	NEURAL_HAM_SHORT(-1.00)[-1.000];
	DMARC_POLICY_ALLOW(-0.50)[gmail.com,none];
	R_SPF_ALLOW(-0.20)[+ip6:2607:f8b0:4000::/36];
	R_DKIM_ALLOW(-0.20)[gmail.com:s=20230601];
	MIME_GOOD(-0.10)[multipart/alternative,text/plain];
	RCVD_TLS_LAST(0.00)[];
	TO_MATCH_ENVRCPT_ALL(0.00)[];
	ARC_NA(0.00)[];
	RCPT_COUNT_ONE(0.00)[1];
	DWL_DNSWL_NONE(0.00)[gmail.com:dkim];
	TAGGED_FROM(0.00)[];
	FREEMAIL_FROM(0.00)[gmail.com];
	MIME_TRACE(0.00)[0:+,1:+,2:~];
	FROM_HAS_DN(0.00)[];
	MISSING_XM_UA(0.00)[];
	FREEMAIL_ENVFROM(0.00)[gmail.com];
	PREVIOUSLY_DELIVERED(0.00)[freebsd-questions@freebsd.org];
	TO_DN_NONE(0.00)[];
	FROM_EQ_ENVFROM(0.00)[];
	DKIM_TRACE(0.00)[gmail.com:+];
	MID_RHS_MATCH_FROMTLD(0.00)[];
	ASN(0.00)[asn:15169, ipnet:2607:f8b0::/32, country:US];
	MLMMJ_DEST(0.00)[freebsd-questions@freebsd.org];
	RCVD_COUNT_ONE(0.00)[1];
	RCVD_IN_DNSWL_NONE(0.00)[2607:f8b0:4864:20::a31:from]
X-Spamd-Bar: ---
X-Rspamd-Queue-Id: 4YlGpV2lLVz3LSB

--000000000000d2c1d6062d0b61bb
Content-Type: text/plain; charset="UTF-8"

Hi freebsd guru!

I am testing freeBSD's latest RACK implementation on fstack and having
somewhat strange problem.

I see the buffer overflow happens at line:
https://github.com/freebsd/freebsd-src/blob/main/sys/netinet/tcp_stacks/rack.c#L18262

where it copies the data of mbuf to another mbuf which is created from
m_get (not from mbuf cluster zone). And I'm seeing in my scenario, the
copying length is 1300 bytes which causes overflow as the size of mbuf
being 256 (as not from cluster). I'm trying to understand if in that line
18262 case, there is no possibility of copying length larger than this mbuf
size (256) so I screwed up somewhere prior?

Any help would be appreciated!

Thanks,
Jaeyong

--000000000000d2c1d6062d0b61bb
Content-Type: text/html; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable

<div dir=3D"ltr">Hi freebsd guru!<div><br></div><div>I am testing freeBSD&#=
39;s latest RACK implementation on fstack=C2=A0and having somewhat strange =
problem.</div><div><br></div><div>I see the buffer overflow happens at line=
:</div><div><a href=3D"https://github.com/freebsd/freebsd-src/blob/main/sys=
/netinet/tcp_stacks/rack.c#L18262">https://github.com/freebsd/freebsd-src/b=
lob/main/sys/netinet/tcp_stacks/rack.c#L18262</a><br></div><div><br></div><=
div>where it copies the data of mbuf to another mbuf which is created from =
m_get (not from mbuf cluster zone). And I&#39;m seeing in my=C2=A0scenario,=
 the copying length is 1300 bytes which causes overflow as the size of mbuf=
 being 256 (as not from cluster). I&#39;m trying to understand if in that l=
ine 18262 case, there is no possibility of copying length larger than this =
mbuf size (256) so I screwed up somewhere prior?</div><div><br></div><div>A=
ny help would be appreciated!</div><div><br></div><div>Thanks,</div><div>Ja=
eyong</div><div><br></div><div><br></div></div>

--000000000000d2c1d6062d0b61bb--