tcp packet with options corrupts mbufs
Richard Mathews
lcc.richard at locus.ucla.edu
Tue Dec 24 18:13:45 AEST 1985
Description:
If a packet includes tcp options, the m_len and m_off fields of
the mbuf are set incorrectly. I had this happen on a 4.1 system
with 4.2 ipc added, but a glance at the 4.3 code indicates that
the problem exists there as well.
Repeat-by:
Send packets with tcp options to a system running 4.2 or 4.3. We
had someone who ran the "mget" command from "ftp" and consistantly
got "panic: trap" in the bcopy called from sballoc. He was sending
files from a Gould to a Vax. Bcopy was passed a length of -8.
Fix:
In tcp_input(), change:
/*
* Drop TCP and IP headers.
*/
off += sizeof (struct ip);
m->m_off += off;
m->m_len -= off;
to:
/*
* Drop TCP and IP headers.
*/
m->m_off += sizeof(struct tcpiphdr);
m->m_len -= sizeof(struct tcpiphdr);
Notice that this only makes a difference if the test
if (off > sizeof (struct tcphdr))
was true.
Richard M. Mathews
Locus Computing Corporation lcc.richard at LOCUS.UCLA.EDU
lcc.richard at UCLA-CS
{ihnp4,ucivax,trwrb}!lcc!richard
{randvax,sdcrdcf,ucbvax,trwspp}!ucla-cs!lcc!richard
More information about the Comp.unix.wizards
mailing list