panic: TCP header not in one mbuf

YONETANI Tomokazu qhwt+dragonfly-bugs at les.ath.cx
Sat Jul 17 20:46:07 PDT 2004 

On Sat, Jul 17, 2004 at 11:13:22AM -0700, Matthew Dillon wrote:
> 
> :Hello.
> :Encountered this panic while downloading NetBSD source tree with CVSup.
> :The kernel was compiled at 12th of July, but as far as I looked at commits@
> :list, there's not a relavant fix yet. FWIW, the panicked DragonFly
> :machine is behind a FreeBSD-CURRENT ipnat box, and I'm using mssclamp
> :option in the ipnat rule file to workaround MTU problem. I'm going to
> :do some more tests to see if it's reproducible.
> 
>    Try this patch.  It's another check ordering issue in ip_demux.c.
>    Fragmented packets are skipping the check.  The TCP and UDP header
>    length must be checked within the first fragment and, in fact, it
>    is also a very good idea to disallow tcp/ip and udp/ip headers that 
>    cross fragment boundaries (there are a ton of attacks that use that
>    trick to get through various firewalls).
> 
> 					-Matt
> 					Matthew Dillon 
> 					<dillon at xxxxxxxxxxxxx>
> 
> Index: ip_demux.c
> ===================================================================

No, it still panics at the same place with you patch applied.
I also updated the source to the latest(just before the update of
newvers.sh) and compiled the kernel with gcc2, but the same panic.

This is the supfile I used to update NetBSD tree under /home/source/netbsd
|*default host=cvsup.jp.NetBSD.org
|*default base=/home/source/netbsd
|*default prefix=/home/source/netbsd
|*default release=cvs tag=.
|*default delete use-rel-suffix
|
|netbsd-src

And the backtrace:
(kgdb) bt
#0  dumpsys () at /home/source/dragonfly/src/sys/kern/kern_shutdown.c:503
#1  0xc0154acc in boot (howto=256) at /home/source/dragonfly/src/sys/kern/kern_shutdown.c:336
#2  0xc0154f10 in poweroff_wait (junk=0xc022f502, howto=20)
    at /home/source/dragonfly/src/sys/kern/kern_shutdown.c:615
#3  0xc01a9184 in tcp_input (m=0xc5dd2c00)
    at /home/source/dragonfly/src/sys/netinet/tcp_input.c:505
#4  0xc01a4819 in transport_processing_oncpu (m=0xc5dd2c00, hlen=20, ip=0xc5dd4820, nexthop=0x0)
    at /home/source/dragonfly/src/sys/netinet/ip_input.c:425
#5  0xc01a4846 in transport_processing_handler (lmsg=0xc6509900)
    at /home/source/dragonfly/src/sys/netinet/ip_input.c:446
#6  0xc019b0c1 in netmsg_service_loop (arg=0x0) at /home/source/dragonfly/src/sys/net/netisr.c:209
(kgdb) fram 3
#3  0xc01a9184 in tcp_input (m=0xc5dd2c00)
    at /home/source/dragonfly/src/sys/netinet/tcp_input.c:505
505                     KASSERT(m->m_len >= sizeof(struct tcpiphdr),
(kgdb) print *m
$1 = {
  m_hdr = {
    mh_next = 0xc5da0200,
    mh_nextpkt = 0x0,
    mh_data = 0xc5dd4812 "",
    mh_len = 0,
    mh_type = 1,
    mh_flags = 3
  },
  M_dat = {
    MH = {
      MH_pkthdr = {
        rcvif = 0x0,
        len = 1456,
        header = 0xc5dd4820,
        csum_flags = 0,
        csum_data = -1659148856,
        tags = {
          slh_first = 0x0
        }
      },
      MH_dat = {
        MH_ext = {
          ext_buf = 0xc5dd4800 "",
          ext_free = 0,
          ext_size = 2048,
          ext_ref = 0
        },
        MH_databuf = "\000HÝÅ\000\000\000\000\000\b\000\000\000\000\000\000\005\000\000\000<\034\000\000\006\000\000\000l\t\000\000\n\000\000\000m\t\000\000\013\000\000\000\020\000\000\000\021\000\000\000¬%\000\000\022\000\000\000\200\005\000\000\023\000\000\000\b\000\000\000o°", '\000' <repeats 43 times>, "À®\005(,\214\001\000\000\000\000\000\000\000\000\000\030<\006(\205J\005(kG\005(,L\006($«\006(H?\006(\034<\006(\200 \006(X?\006(:\006(=\006(ÈK\006( \026\005(`?\006(\nE\005(\004«\006(\024«\006
( «\006(T?\006("
      }
    },
---Type <return> to continue, or q <return> to quit---
    M_databuf = "\000\000\000\000°\005\000\000 HÝÅ\000\000\000\000Èe\e\235\000\000\000\000\000HÝÅ\000\000\000\000\000\b\000\000\000\000\000\000\005\000\000\000<\034\000\000\006\000\000\000l\t\000\000\n\000\000\000m\t\000\000\013\000\000\000\020\000\000\000\021\000\000\000¬%\000\000\022\000\000\000\200\005\000\000\023\000\000\000\b\000\000\000o°", '\000' <repeats 43 times>, "À®\005(,\214\001\000\000\000\000\000\000\000\000\000\030<\006(\205J\005(kG\005(,L\006($«\006(H?\006(\034<\006(\200 \006(X?
\006(:\006(=\006(ÈK\006( \026\005(`?\006(\nE\005(\004«\006(\024«\006( «\006(T"...
  }
}
(kgdb) list
500                     if (off0 > sizeof(struct ip)) {
501                             ip_stripoptions(m);
502                             off0 = sizeof(struct ip);
503                     }
504                     /* already checked and pulled up in ip_demux() */
505                     KASSERT(m->m_len >= sizeof(struct tcpiphdr),
506                         ("TCP header not in one mbuf"));
507                     ip = mtod(m, struct ip *);
508                     ipov = (struct ipovly *)ip;
509                     th = (struct tcphdr *)((caddr_t)ip + off0);

More information about the Bugs mailing list