From robert@cyrus.watson.org  Sun Feb 27 07:40:52 2000
Return-Path: <robert@cyrus.watson.org>
Received: from fledge.watson.org (fledge.watson.org [204.156.12.50])
	by hub.freebsd.org (Postfix) with ESMTP
	id 9EFFB37B653; Sun, 27 Feb 2000 07:40:50 -0800 (PST)
	(envelope-from robert@cyrus.watson.org)
Received: from fledge.watson.org (robert@fledge.pr.watson.org [192.0.2.3])
	by fledge.watson.org (8.9.3/8.9.3) with SMTP id KAA06278;
	Sun, 27 Feb 2000 10:41:55 -0500 (EST)
	(envelope-from robert@cyrus.watson.org)
Message-Id: <Pine.NEB.3.96L.1000227104131.5881A-100000@fledge.watson.org>
Date: Sun, 27 Feb 2000 10:41:55 -0500 (EST)
From: Robert Watson <robert@cyrus.watson.org>
Reply-To: Robert Watson <robert+freebsd@cyrus.watson.org>
To: csg@waterspout.com
Cc: FreeBSD-gnats-submit@freebsd.org, mdodd@freebsd.org,
	jkh@freebsd.org
In-Reply-To: <200002240550.AAA31092@squall.waterspout.com>
Subject: Re: arpintr() incorrectly checks mbuf chain size

>Number:         17019
>Category:       kern
>Synopsis:       Re: arpintr() incorrectly checks mbuf chain size
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    gnats-admin
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Sun Feb 27 07:50:01 PST 2000
>Closed-Date:    Sun Feb 27 20:07:08 PST 2000
>Last-Modified:  Wed Oct 26 05:59:37 GMT 2005
>Originator:     
>Release:        
>Organization:
>Environment:
>Description:
 Jordan -- did it end up being the case that you did approve this fix, or
 did not?
 
 On Thu, 24 Feb 2000 csg@waterspout.com wrote:
 
 > 
 > >Submitter-Id:   current-users
 > >Originator:     C. Stephen Gunn
 > >Organization:   WaterSpout Communications, Inc.
 > >Confidential:   no
 > >Synopsis:       arpintr() incorrectly checks mbuf chain size
 > >Severity:       serious
 > >Priority:       high
 > >Category:       kern
 > >Release:        FreeBSD 3.4-STABLE i386
 > >Class:          sw-bug
 > >Environment: 
 > 
 > FreeBSD-3.4-STABLE or FreeBSD-4.0 current.
 > 
 > >Description: 
 > 
 > The NETISR_ARP handler arpintr() incorrectly checks m->m_len to
 > determine if we have a complete ARP packet.  It is possible to
 > have a packet spread across several mbufs in the chain.
 > 
 > While this case apparently doesn't happen with normal ethernet
 > interfaces, additional mbuf operations before ARP processing (for
 > 802.1Q Tagged VLANS, Bridged Ethernet over Frame Relay, or perhaps
 > LANE) can cause NETISR_ARP to be presented with a fragmented packet.
 > 
 > >How-To-Repeat: 
 > 
 > Run my yet-to-see-the-light-of-day VLAN improvements, it blows chunks
 > on ever inbound ARP packet.
 > 
 > >Fix: 
 > 
 > I've not only fixed the length comparisson, I've added several
 > diagnostic error messages to the handler for other out-of-the-norm
 > ARP packets.  This makes the error conditions easier to detect
 > and fix, and makes the code much more readable.
 > 
 > I've put patches for -STABLE and -CURRENT (which are actually
 > identical) online:
 > 
 >    http://www.waterspout.com/FreeBSD/arpintr-patch.current
 > 
 >    http://www.waterspout.com/FreeBSD/arpintr-patch.stable
 > 
 > If someone could perform a sanity check, and get these committed
 > before 4.0-R heads out the door, that would be ideal.
 > 
 >  - Steve
 > 
 > 
 
 
   Robert N M Watson 
 
 robert@fledge.watson.org              http://www.watson.org/~robert/
 PGP key fingerprint: AF B5 5F FF A6 4A 79 37  ED 5F 55 E9 58 04 6A B1
 TIS Labs at Network Associates, Safeport Network Services
 
 
>How-To-Repeat:
>Fix:
>Release-Note:
>Audit-Trail:
State-Changed-From-To: open->closed 
State-Changed-By: steve 
State-Changed-When: Sun Feb 27 20:07:08 PST 2000 
State-Changed-Why:  
Intended as a followup to kern/16950. 
>Unformatted:
