Re: off-by-one error in ip_fragment, recently.

From: David Gilbert <dgilbert_at_dclg.ca>
Date: Mon, 12 Jan 2004 00:10:43 -0500
One more update before I go to bed.  On major change in if_gre.c has
been to change

gh->gi_len = m->m_pkthdr.len;

to

gh->gi_len = htons(m->m_pkthdr.len);

... which is a fairly semantic change.  Now ip_output() is called
immediately after that ... and ip_output seems to expect the length in
the packet to still be host order because it has:

	if ((ifp->if_snd.ifq_len + ip->ip_len / ifp->if_mtu + 1) >=

as one of the first things that are done with ip->ip_len... or am I
mussing that up?

ip_output then goes on to call htons() on ip->ip_len many more times,
and I'm too tired to track it reliably.

But, if I revert the change in if_gre.c, the kernel doesn't crash
... but the gre tunnel also doesn't work.  It would appear the byte
swap happens a few more times before ip_fragment().

But... what I do know is that in the -CURRENT code, the values that
arrive in ip->ip_len in ip_fragment() from the gre tunnel are the
byteswapped values from m->m_pkthdr.len above.

... which makes me wonder if this is a showstopper ... that
ip_fragment() is broken in some general way.

Dave.

-- 
============================================================================
|David Gilbert, Independent Contractor.       | Two things can only be     |
|Mail:       dave_at_daveg.ca                    |  equal if and only if they |
|http://daveg.ca                              |   are precisely opposite.  |
=========================================================GLO================
Received on Sun Jan 11 2004 - 20:10:48 UTC

This archive was generated by hypermail 2.4.0 : Wed May 19 2021 - 11:37:37 UTC