off-by-one error in ip_fragment, recently.
David Gilbert
dgilbert at dclg.ca
Sun Jan 11 21:10:48 PST 2004
One more update before I go to bed. On major change in if_gre.c has
been to change
gh->gi_len = m->m_pkthdr.len;
to
gh->gi_len = htons(m->m_pkthdr.len);
... which is a fairly semantic change. Now ip_output() is called
immediately after that ... and ip_output seems to expect the length in
the packet to still be host order because it has:
if ((ifp->if_snd.ifq_len + ip->ip_len / ifp->if_mtu + 1) >=
as one of the first things that are done with ip->ip_len... or am I
mussing that up?
ip_output then goes on to call htons() on ip->ip_len many more times,
and I'm too tired to track it reliably.
But, if I revert the change in if_gre.c, the kernel doesn't crash
... but the gre tunnel also doesn't work. It would appear the byte
swap happens a few more times before ip_fragment().
But... what I do know is that in the -CURRENT code, the values that
arrive in ip->ip_len in ip_fragment() from the gre tunnel are the
byteswapped values from m->m_pkthdr.len above.
... which makes me wonder if this is a showstopper ... that
ip_fragment() is broken in some general way.
Dave.
--
============================================================================
|David Gilbert, Independent Contractor. | Two things can only be |
|Mail: dave at daveg.ca | equal if and only if they |
|http://daveg.ca | are precisely opposite. |
=========================================================GLO================
More information about the freebsd-net
mailing list