From jkh@zippy.cdrom.com  Sun Feb 27 11:03:00 2000
Return-Path: <jkh@zippy.cdrom.com>
Received: from zippy.cdrom.com (zippy.cdrom.com [204.216.27.228])
	by hub.freebsd.org (Postfix) with ESMTP
	id A527B37B663; Sun, 27 Feb 2000 11:02:59 -0800 (PST)
	(envelope-from jkh@zippy.cdrom.com)
Received: from zippy.cdrom.com (jkh@localhost [127.0.0.1])
	by zippy.cdrom.com (8.9.3/8.9.3) with ESMTP id LAA72347;
	Sun, 27 Feb 2000 11:02:36 -0800 (PST)
	(envelope-from jkh@zippy.cdrom.com)
Message-Id: <72301.951678156@zippy.cdrom.com>
Date: Sun, 27 Feb 2000 11:02:36 -0800
From: "Jordan K. Hubbard" <jkh@zippy.cdrom.com>
To: Robert Watson <robert+freebsd@cyrus.watson.org>
Cc: csg@waterspout.com, FreeBSD-gnats-submit@freebsd.org,
	mdodd@freebsd.org, jkh@freebsd.org
In-Reply-To: Your message of "Sun, 27 Feb 2000 10:41:55 EST."
             <Pine.NEB.3.96L.1000227104131.5881A-100000@fledge.watson.org> 
Subject: Re: arpintr() incorrectly checks mbuf chain size 

>Number:         17021
>Category:       kern
>Synopsis:       Re: arpintr() incorrectly checks mbuf chain size
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    gnats-admin
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Sun Feb 27 11:10:01 PST 2000
>Closed-Date:    Sun Feb 27 20:07:44 PST 2000
>Last-Modified:  Wed Oct 26 05:59:28 GMT 2005
>Originator:     
>Release:        
>Organization:
>Environment:
>Description:
 Yes, I approved these awhile back.
 
 > 
 > Jordan -- did it end up being the case that you did approve this fix, or
 > did not?
 > 
 > On Thu, 24 Feb 2000 csg@waterspout.com wrote:
 > 
 > > 
 > > >Submitter-Id:   current-users
 > > >Originator:     C. Stephen Gunn
 > > >Organization:   WaterSpout Communications, Inc.
 > > >Confidential:   no
 > > >Synopsis:       arpintr() incorrectly checks mbuf chain size
 > > >Severity:       serious
 > > >Priority:       high
 > > >Category:       kern
 > > >Release:        FreeBSD 3.4-STABLE i386
 > > >Class:          sw-bug
 > > >Environment: 
 > > 
 > > FreeBSD-3.4-STABLE or FreeBSD-4.0 current.
 > > 
 > > >Description: 
 > > 
 > > The NETISR_ARP handler arpintr() incorrectly checks m->m_len to
 > > determine if we have a complete ARP packet.  It is possible to
 > > have a packet spread across several mbufs in the chain.
 > > 
 > > While this case apparently doesn't happen with normal ethernet
 > > interfaces, additional mbuf operations before ARP processing (for
 > > 802.1Q Tagged VLANS, Bridged Ethernet over Frame Relay, or perhaps
 > > LANE) can cause NETISR_ARP to be presented with a fragmented packet.
 > > 
 > > >How-To-Repeat: 
 > > 
 > > Run my yet-to-see-the-light-of-day VLAN improvements, it blows chunks
 > > on ever inbound ARP packet.
 > > 
 > > >Fix: 
 > > 
 > > I've not only fixed the length comparisson, I've added several
 > > diagnostic error messages to the handler for other out-of-the-norm
 > > ARP packets.  This makes the error conditions easier to detect
 > > and fix, and makes the code much more readable.
 > > 
 > > I've put patches for -STABLE and -CURRENT (which are actually
 > > identical) online:
 > > 
 > >    http://www.waterspout.com/FreeBSD/arpintr-patch.current
 > > 
 > >    http://www.waterspout.com/FreeBSD/arpintr-patch.stable
 > > 
 > > If someone could perform a sanity check, and get these committed
 > > before 4.0-R heads out the door, that would be ideal.
 > > 
 > >  - Steve
 > > 
 > > 
 > 
 > 
 >   Robert N M Watson 
 > 
 > robert@fledge.watson.org              http://www.watson.org/~robert/
 > PGP key fingerprint: AF B5 5F FF A6 4A 79 37  ED 5F 55 E9 58 04 6A B1
 > TIS Labs at Network Associates, Safeport Network Services
 > 
 
 
>How-To-Repeat:
>Fix:
>Release-Note:
>Audit-Trail:
State-Changed-From-To: open->closed 
State-Changed-By: steve 
State-Changed-When: Sun Feb 27 20:07:44 PST 2000 
State-Changed-Why:  
Intended as a followup to kern/16950. 
>Unformatted:
