Andre Oppermann wrote: > > David Gilbert wrote: > > > > I just updated a machine that uses GRE to -CURRENT. Upon rebooting, > > the debugger stopped at the following: > > > > "panic: m_copym, offset > size of mbuf chain" > > There are two possible ways this can happen: The function m_copym > was called with off == 0, or off == m->m_len. Neither is supposed > to happen (obviously) so the bug must be in ip_fragment. Lets have > a look at that next... There seems to be a bug in m_copym() anyway, but it's not the one you trip over because we are getting into the while loop again. However if off == m_len it would not break and trash *m for a panic a few lines later. -- Andre Index: uipc_mbuf.c =================================================================== RCS file: /home/ncvs/src/sys/kern/uipc_mbuf.c,v retrieving revision 1.124 diff -u -p -r1.124 uipc_mbuf.c --- uipc_mbuf.c 25 Dec 2003 01:17:27 -0000 1.124 +++ uipc_mbuf.c 10 Jan 2004 23:47:36 -0000 _at__at_ -199,7 +199,7 _at__at_ m_copym(struct mbuf *m, int off0, int le copyhdr = 1; while (off > 0) { KASSERT(m != NULL, ("m_copym, offset > size of mbuf chain")); - if (off < m->m_len) + if (off <= m->m_len) break; off -= m->m_len; m = m->m_next;Received on Sat Jan 10 2004 - 14:51:52 UTC
This archive was generated by hypermail 2.4.0 : Wed May 19 2021 - 11:37:37 UTC