From eric@johngalt.ennovatenetworks.com  Mon Mar 30 13:28:48 1998
Received: from johngalt.ennovatenetworks.com (johngalt.ennovatenetworks.com [208.227.99.141])
          by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id NAA25772
          for <FreeBSD-gnats-submit@freebsd.org>; Mon, 30 Mar 1998 13:28:47 -0800 (PST)
          (envelope-from eric@johngalt.ennovatenetworks.com)
Received: (from eric@localhost)
	by johngalt.ennovatenetworks.com (8.8.7/8.8.7) id QAA00502;
	Mon, 30 Mar 1998 16:28:39 -0500 (EST)
	(envelope-from eric)
Message-Id: <199803302128.QAA00502@johngalt.ennovatenetworks.com>
Date: Mon, 30 Mar 1998 16:28:39 -0500 (EST)
From: eric@ennovatenetworks.com
Reply-To: eric@ennovatenetworks.com
To: FreeBSD-gnats-submit@freebsd.org
Subject: IP reassembly fails when some options present
X-Send-Pr-Version: 3.2

>Number:         6177
>Category:       misc
>Synopsis:       IP reassembly fails when some options present
>Confidential:   no
>Severity:       non-critical
>Priority:       low
>Responsible:    freebsd-bugs
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Mon Mar 30 13:30:01 PST 1998
>Closed-Date:    Mon Apr 13 10:27:15 PDT 1998
>Last-Modified:  Mon Apr 13 10:27:33 PDT 1998
>Originator:     Eric Sprinkle
>Release:        FreeBSD 2.2.5-RELEASE i386
>Organization:
Ennovate Networks, Inc
>Environment:

	Two machines on the same IP subnet.  Intel Etherexpress 100 NICs

>Description:

	An oversized ping with record-route option fails the checksum test
	in ip_input and gets discarded.

	The function ip_input in ip_input.c determines the IP header length
	for each packet or fragment and save the length in the variable 'hlen'.
	Later on ip_input decides its a fragment and reassembles it and calls
	icmp_input with the header length.  Unfortunately, hlen is the length
	of the last fragments IP header, which may be different than the 
	header length of the first fragment.  The 'record-route' option is 
	an example of an option that is only present in the first fragment of 
	a datagram.

>How-To-Repeat:

	ping -s 3000 -R remote-node

>Fix:

	In the code scrap below, from ip_input, the comment and 
	the one line after the comment (hlen = ...) fix the problem.

	
       if (((struct ipasfrag *)ip)->ipf_mff & 1 || ip->ip_off) {
            ipstat.ips_fragments++;
            ip = ip_reass((struct ipasfrag *)ip, fp, &ipq[sum]);
            if (ip == 0)
                 return;

	    /*
	     *  Get the reassembled packet's header length
	     */
            hlen = IP_VHL_HL(ip->ip_vhl) << 2;

            ipstat.ips_reassembled++;
            m = dtom(ip);

>Release-Note:
>Audit-Trail:
State-Changed-From-To: open->closed 
State-Changed-By: phk 
State-Changed-When: Mon Apr 13 10:27:15 PDT 1998 
State-Changed-Why:  
committed, thanks! 
>Unformatted:
