[PATCH] IPV6: fix payload length of reassembled packet

[PATCH] IPV6: fix payload length of reassembled packet

[YOSHIFUJI Hideaki / 吉藤英明]

Hello.

I've introduced a bug, which calculates payload length
incorrectly when reassembling.
Bug was introduced in ChangeSet 1.1229.7.40.
(This patch also eliminates redundancy.)

Thanks in advance.

Index: linux-2.5/net/ipv6/reassembly.c
===================================================================
RCS file: /home/cvs/linux-2.5/net/ipv6/reassembly.c,v
retrieving revision 1.15
diff -u -r1.15 reassembly.c
--- linux-2.5/net/ipv6/reassembly.c	30 May 2003 17:46:04 -0000	1.15
+++ linux-2.5/net/ipv6/reassembly.c	11 Jun 2003 15:49:44 -0000
@@ -596,10 +596,8 @@
 	BUG_TRAP(FRAG6_CB(head)->offset == 0);
 
 	/* Unfragmented part is taken from the first segment. */
-	payload_len = (head->data - head->nh.raw) - sizeof(struct ipv6hdr) + fq->len;
-	nhoff = head->h.raw - head->nh.raw;
-
-	if (payload_len > 65535 + 8)
+	payload_len = (head->data - head->nh.raw) - sizeof(struct ipv6hdr) + fq->len - 8;
+	if (payload_len > 65535)
 		goto out_oversize;
 
 	/* Head of list must not be cloned. */

-- 
Hideaki YOSHIFUJI @ USAGI Project <yoshfuji@linux-ipv6.org>
GPG FP: 9022 65EB 1ECF 3AD1 0BDF  80D8 4807 F894 E062 0EEA

Re: [PATCH] IPV6: fix payload length of reassembled packet

[Pekka Savola]

On Thu, 12 Jun 2003, YOSHIFUJI Hideaki / [iso-2022-jp] ^[$B5HF#1QL@^[(B wrote:
> I've introduced a bug, which calculates payload length
> incorrectly when reassembling.
> Bug was introduced in ChangeSet 1.1229.7.40.
> (This patch also eliminates redundancy.)
> 
> Thanks in advance.
> 
> Index: linux-2.5/net/ipv6/reassembly.c
> ===================================================================
> RCS file: /home/cvs/linux-2.5/net/ipv6/reassembly.c,v
> retrieving revision 1.15
> diff -u -r1.15 reassembly.c
> --- linux-2.5/net/ipv6/reassembly.c	30 May 2003 17:46:04 -0000	1.15
> +++ linux-2.5/net/ipv6/reassembly.c	11 Jun 2003 15:49:44 -0000
> @@ -596,10 +596,8 @@
>  	BUG_TRAP(FRAG6_CB(head)->offset == 0);
>  
>  	/* Unfragmented part is taken from the first segment. */
> -	payload_len = (head->data - head->nh.raw) - sizeof(struct ipv6hdr) + fq->len;
> -	nhoff = head->h.raw - head->nh.raw;
> -
> -	if (payload_len > 65535 + 8)
> +	payload_len = (head->data - head->nh.raw) - sizeof(struct ipv6hdr) + fq->len - 8;

s/8/sizeof(struct frag_hdr)/ ?

> +	if (payload_len > 65535)
>  		goto out_oversize;
>  
>  	/* Head of list must not be cloned. */
> 
> 

-- 
Pekka Savola                 "You each name yourselves king, yet the
Netcore Oy                    kingdom bleeds."
Systems. Networks. Security. -- George R.R. Martin: A Clash of Kings

Re: [PATCH] IPV6: fix payload length of reassembled packet

[YOSHIFUJI Hideaki / 吉藤英明]

In article <Pine.LNX.4.44.0306112014560.2321-100000@netcore.fi> (at Wed, 11 Jun 2003 20:15:45 +0300 (EEST)), Pekka Savola <pekkas@netcore.fi> says:

> > +	payload_len = (head->data - head->nh.raw) - sizeof(struct ipv6hdr) + fq->len - 8;
> 
> s/8/sizeof(struct frag_hdr)/ ?

Yes, sizeof(struct frag_hdr). 
I, however, use 8 for now to focus on the bug itself.
(We have more "8"s there which should be substituted.)

-- 
Hideaki YOSHIFUJI @ USAGI Project <yoshfuji@linux-ipv6.org>
GPG FP: 9022 65EB 1ECF 3AD1 0BDF  80D8 4807 F894 E062 0EEA

[PATCH] IPV6: eliminating magic number for sizeof(struct frag_hdr) (Re: [PATCH] IPV6: fix payload length of reassembled packet)

[YOSHIFUJI Hideaki / 吉藤英明]

In article <20030612.022753.56899094.yoshfuji@linux-ipv6.org> (at Thu, 12 Jun 2003 02:27:53 +0900 (JST)), YOSHIFUJI Hideaki / 吉藤英明 <yoshfuji@linux-ipv6.org> says:

> > s/8/sizeof(struct frag_hdr)/ ?
> 
> Yes, sizeof(struct frag_hdr). 
> I, however, use 8 for now to focus on the bug itself.
> (We have more "8"s there which should be substituted.)

s/8/sizeof(struct frag_hdr)/;
please apply this on top of the original patch.
Thanks.

--- linux-2.5+fix/net/ipv6/reassembly.c	Thu Jun 12 02:33:42 2003
+++ linux-2.5+fix+edited/net/ipv6/reassembly.c	Thu Jun 12 02:34:27 2003
@@ -596,7 +596,7 @@
 	BUG_TRAP(FRAG6_CB(head)->offset == 0);
 
 	/* Unfragmented part is taken from the first segment. */
-	payload_len = (head->data - head->nh.raw) - sizeof(struct ipv6hdr) + fq->len - 8;
+	payload_len = (head->data - head->nh.raw) - sizeof(struct ipv6hdr) + fq->len - sizeof(struct frag_hdr);
 	if (payload_len > 65535)
 		goto out_oversize;
 
@@ -631,9 +631,10 @@
 	 * header in order to calculate ICV correctly. */
 	nhoff = fq->nhoffset;
 	head->nh.raw[nhoff] = head->h.raw[0];
-	memmove(head->head+8, head->head, (head->data-head->head)-8);
-	head->mac.raw += 8;
-	head->nh.raw += 8;
+	memmove(head->head + sizeof(struct frag_hdr), head->head, 
+		(head->data - head->head) - sizeof(struct frag_hdr));
+	head->mac.raw += sizeof(struct frag_hdr);
+	head->nh.raw += sizeof(struct frag_hdr);
 
 	skb_shinfo(head)->frag_list = head->next;
 	head->h.raw = head->data;


-- 
Hideaki YOSHIFUJI @ USAGI Project <yoshfuji@linux-ipv6.org>
GPG FP: 9022 65EB 1ECF 3AD1 0BDF  80D8 4807 F894 E062 0EEA

Re: [PATCH] IPV6: eliminating magic number for sizeof(struct frag_hdr)

[David S. Miller]

   From: YOSHIFUJI Hideaki / 吉藤英明 <yoshfuji@linux-ipv6.org>
   Date: Thu, 12 Jun 2003 02:39:19 +0900 (JST)

   In article <20030612.022753.56899094.yoshfuji@linux-ipv6.org> (at Thu, 12 Jun 2003 02:27:53 +0900 (JST)), YOSHIFUJI Hideaki / 吉藤英明 <yoshfuji@linux-ipv6.org> says:
   
   > > s/8/sizeof(struct frag_hdr)/ ?
   > 
   > Yes, sizeof(struct frag_hdr). 
   > I, however, use 8 for now to focus on the bug itself.
   > (We have more "8"s there which should be substituted.)
   
   s/8/sizeof(struct frag_hdr)/;
   please apply this on top of the original patch.

I've applied both patches, thanks.