4.2 BSD IP loses mbufs - FIX

[Brian Thomson]

Index: netinet/ip_input.c 4.2BSD Fix

Description:
	When the IP input module drops a truncated packet it only
	frees the last mbuf in the chain.

Repeat-By:
	Procure a network interface that habitually truncates
	incoming packets, so their actual length is less than
	that implied by the length field in the IP header.
	The RS232 interface driver from rick at seismo seems to do
	this under sufficiently heavy load.  (This is not a complaint;
	interfaces are allowed to make mistakes).
	Each time this happens, some data mbufs may be lost.

Fix:
	In file netinet/ip_input.c, routine ipintr() accumulates
	the data size of the incoming packet by chaining down the
	linked list of mbufs, and compares this size with the data
	length indicated in the IP header.  If the packet is too short,
	the following code is exercised:

			if (i < 0) {
				ipstat.ips_tooshort++;
				goto bad;
			}

			...

	bad:
		m_freem(m);
		goto next;
	}

	But variable m was used to follow the links in the mbuf list, and
	now points at the last mbuf in the list rather than the first,
	so only the last one gets freed.  The fix is to add 1 line:

			if (i < 0) {
				ipstat.ips_tooshort++;
				m = m0;	
				goto bad;
			}


	P.S.:  netstat -s  incorrectly labels this statistic as
	number of packets "with size less than minimum"; it
	is actually the number of packets "with data size < data length".
	The "size less than minimum" statistic is ipstat.ips_toosmall.
-- 
		    Brian Thomson,	    CSRI Univ. of Toronto
		    {linus,ihnp4,uw-beaver,floyd,utzoo}!utcsrgv!uthub!thomson