[prev in list] [next in list] [prev in thread] [next in thread]
List: freebsd-bugs
Subject: misc/6177: IP reassembly fails when some options present
From: eric () ennovatenetworks ! com
Date: 1998-03-30 21:28:39
[Download RAW message or body]
>Number: 6177
>Category: misc
>Synopsis: IP reassembly fails when some options present
>Confidential: no
>Severity: non-critical
>Priority: low
>Responsible: freebsd-bugs
>State: open
>Quarter:
>Keywords:
>Date-Required:
>Class: sw-bug
>Submitter-Id: current-users
>Arrival-Date: Mon Mar 30 13:30:01 PST 1998
>Last-Modified:
>Originator: Eric Sprinkle
>Organization:
Ennovate Networks, Inc
>Release: FreeBSD 2.2.5-RELEASE i386
>Environment:
Two machines on the same IP subnet. Intel Etherexpress 100 NICs
>Description:
An oversized ping with record-route option fails the checksum test
in ip_input and gets discarded.
The function ip_input in ip_input.c determines the IP header length
for each packet or fragment and save the length in the variable 'hlen'.
Later on ip_input decides its a fragment and reassembles it and calls
icmp_input with the header length. Unfortunately, hlen is the length
of the last fragments IP header, which may be different than the
header length of the first fragment. The 'record-route' option is
an example of an option that is only present in the first fragment of
a datagram.
>How-To-Repeat:
ping -s 3000 -R remote-node
>Fix:
In the code scrap below, from ip_input, the comment and
the one line after the comment (hlen = ...) fix the problem.
if (((struct ipasfrag *)ip)->ipf_mff & 1 || ip->ip_off) {
ipstat.ips_fragments++;
ip = ip_reass((struct ipasfrag *)ip, fp, &ipq[sum]);
if (ip == 0)
return;
/*
* Get the reassembled packet's header length
*/
hlen = IP_VHL_HL(ip->ip_vhl) << 2;
ipstat.ips_reassembled++;
m = dtom(ip);
>Audit-Trail:
>Unformatted:
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-bugs" in the body of the message
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic