From nobody@nwww.freebsd.org  Mon May  6 21:41:21 2002
Return-Path: <nobody@nwww.freebsd.org>
Received: from nwww.freebsd.org (nwww.FreeBSD.org [216.136.204.117])
	by hub.freebsd.org (Postfix) with ESMTP id 91B5437B406
	for <freebsd-gnats-submit@FreeBSD.org>; Mon,  6 May 2002 21:41:20 -0700 (PDT)
Received: from nwww.freebsd.org (localhost [127.0.0.1])
	by nwww.freebsd.org (8.12.2/8.12.2) with ESMTP id g474glhG055288
	for <freebsd-gnats-submit@FreeBSD.org>; Mon, 6 May 2002 21:42:47 -0700 (PDT)
	(envelope-from nobody@nwww.freebsd.org)
Received: (from nobody@localhost)
	by nwww.freebsd.org (8.12.2/8.12.2/Submit) id g474gliD055287;
	Mon, 6 May 2002 21:42:47 -0700 (PDT)
Message-Id: <200205070442.g474gliD055287@nwww.freebsd.org>
Date: Mon, 6 May 2002 21:42:47 -0700 (PDT)
From: "Amit K. Rao" <arao@niksun.com>
To: freebsd-gnats-submit@FreeBSD.org
Subject: [PATCH]: Bug in Multilink PPP reassembly: mp_Assemble()
X-Send-Pr-Version: www-1.0

>Number:         37813
>Category:       bin
>Synopsis:       [PATCH]: Bug in Multilink PPP reassembly: mp_Assemble()
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    brian
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Mon May 06 21:50:01 PDT 2002
>Closed-Date:    Tue May 07 05:49:36 PDT 2002
>Last-Modified:  Tue May 07 05:49:36 PDT 2002
>Originator:     Amit K. Rao
>Release:        current
>Organization:
NIKSUN Inc.
>Environment:
freebsd 4.2-RELEASE upto CURRENT      
>Description:
Could you please glance at the following patch to HEAD and see if it actually is a bug.   During multilink PPP reassembly in  src/usr.sbin/ppp/mp.c,v 1.49 : mp_Assemble(),  when you put the fragment back at the front of the queue, don't you need to fix the offset back so that you can continue to readHeader() from the fragment the next time around?

i.e.:

--- mp-current.c        Tue May  7 00:18:37 2002
+++ mp.c        Tue May  7 00:17:22 2002
@@ -558,6 +558,8 @@
            * Stuff our fragment back at the front of the queue and zap
            * our half-assembed packet.
            */
+         (*frag)->m_offset -= len;
+         (*frag)->m_len += len;
           (*frag)->m_nextpkt = mp->inbufs;
           mp->inbufs = *frag;
           *frag = NULL;

>How-To-Repeat:
Occurs in rare conditions: while reassmbling a MLPPP fragment if a trailing fragment is missing.
>Fix:
 --- mp-current.c        Tue May  7 00:18:37 2002
+++ mp.c        Tue May  7 00:37:35 2002
@@ -543,9 +543,6 @@
         len = mp_ReadHeader(mp, *frag, &h);
         if (first == -1)
           first = h.seq;
-        (*frag)->m_offset += len;
-        (*frag)->m_len -= len;
-        (*frag)->m_nextpkt = NULL;
         if (frag == &q && !h.begin) {
           log_Printf(LogWARN, "Oops - MP frag %lu should have a begin flag\n",
                     (u_long)h.seq);
@@ -565,10 +562,14 @@
           q = NULL;
           frag = &q;
           h.end = 0;   /* just in case it's a whole packet */
-        } else
-          do
-            frag = &(*frag)->m_next;
-          while (*frag != NULL);
+        } else {
+           (*frag)->m_offset += len;
+           (*frag)->m_len -= len;
+           (*frag)->m_nextpkt = NULL;
+           do
+               frag = &(*frag)->m_next;
+           while (*frag != NULL);
+       }
       } while (!h.end);

       if (q) { 
>Release-Note:
>Audit-Trail:
Responsible-Changed-From-To: freebsd-bugs->brian 
Responsible-Changed-By: cjc 
Responsible-Changed-When: Mon May 6 22:33:56 PDT 2002 
Responsible-Changed-Why:  
Over to ppp(8) maintainer. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=37813 
State-Changed-From-To: open->closed 
State-Changed-By: brian 
State-Changed-When: Tue May 7 05:49:09 PDT 2002 
State-Changed-Why:  
Applied to -current.  I'll MFC in 1 week if re@ oks it. 

Thanks for the patch. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=37813 
>Unformatted:
