TCP/IP bug (in udp_usrreq.c)
utzoo!decvax!harpo!seismo!stewart
utzoo!decvax!harpo!seismo!stewart
Tue Mar 8 16:18:44 AEST 1983
The following fragment comes from .../net/udp_usrreq.c (4.31 82/08/15)
beginning at line 56 (in udp_input()):
/*
* Make mbuf data length reflect UDP length.
* If not enough data to reflect UDP length, drop.
*/
len = ntohs((u_short)ui->ui_ulen);
if (((struct ip *)ui)->ip_len != len) {
if (len > ((struct ip *)ui)->ip_len) {
udpstat.udps_badlen++;
goto bad;
}
m_adj(m, ((struct ip *)ui)->ip_len - len);
/* (struct ip *)ui->ip_len = len; */
}
(I believe the sense of the test in the second if statement is
correct.) The call to m_adj() should throw away excess data at
the end of the mbuf chain. For this, the second argument must be
negative. However, it is positive, causing the excess to be shaved
off the front of the chain. Therefore the call to m_adj() should
be changed to:
m_adj(m, -(((struct ip *)ui)->ip_len - len));
This was done in the version for pdp11's which I received from
SRI International.
John Stewart, Teledyne Geotech (Alexandria, VA) 703-276-7900
More information about the Net.bugs
mailing list