<< | Thread Index | >> ]    [ << | Date Index | >> ]

Subject: Re: BUG: crasher [IMPORTANT PATCH]
From: Roberto Nibali <ratz,AT,tac,DOT,ch>
Date: Fri, 18 Jan 2002 15:41:47 +0100
In-reply-to: <E16NgCt-0001da-00@bigred.inka.de>

Hello Olaf,

> This must be an old problem, why was it never found? :-) To my

Holy cow! That's why our cipe tunnels always crashed when
connecting with netcat and sending 7bytes + 1byte return!!!

> knowledge it exists in all published versions of CIPE. It causes a

Yes, it exists in all versions, 1.4.x -> 1.5.x. You could
trigger it with nmap and netcat. One bug less ... :)

> crash when CIPE receives too small packets. Thanks to Larry McVoy for
> alerting me to this bug.
> 
> The attached patch is from the CVS but applies cleanly to 1.5.2.

Thanks for fixing it. I was getting irritated debugging it with
no success. And we run machines with up to 120 tunnels and 16
physical interfaces. The change of hitting it is huge.

> +    if (length<cipehdrlen+(c->sockshost?sizeof(struct sockshdr):0)) {
> +        printk(KERN_INFO "%s: got short packet from %s\n", c->dev->name,
> +               cipe_ntoa(saddr(skb)));
> +       goto framerr;
> +    }

Verified trace:

(perl -e 'print "X"x41' | netcat -u -p 10209 tm 10209)

the module without the patch:
 1 Jan 17 13:46:47 tm frcb9: got bogus length=1
 3 Jan 17 13:46:57 tm frcb9: got bogus length=3
 7 Jan 17 13:47:15 tm frcb9: got bogus length=7
 9 Jan 17 13:47:21 tm frcb9: got bogus length=9
35 Jan 17 13:47:28 tm frcb9: got bogus length=35
36 Jan 17 13:47:35 tm frcb9: got bogus length=36
39 Jan 17 13:47:41 tm frcb9: got bogus length=39
40 no output!!!
41 Jan 17 13:47:54 tm frcb9: got bogus length=41
 8 Jan 17 13:48:01 tm Unable to handle kernel paging request
                      ^^^^^^^^^^^^^^^^^^^^^^^
                          boooooom!

with the patch:
 1 Jan 17 13:34:36 tm frcb9: got short packet from 172.23.2.8
 7 Jan 17 13:34:41 tm frcb9: got short packet from 172.23.2.8
 8 Jan 17 13:34:47 tm frcb9: got short packet from 172.23.2.8
 9 Jan 17 13:34:53 tm frcb9: got short packet from 172.23.2.8
35 Jan 17 13:35:01 tm frcb9: got short packet from 172.23.2.8
36 Jan 17 13:35:08 tm frcb9: got bogus length=36
39 Jan 17 13:35:23 tm frcb9: got bogus length=39
40 no output!!!
41 Jan 17 13:35:30 tm frcb9: got bogus length=41

Question: Why doesn't it log the 40 byte packets? Some packet
stripping which branches into a different invariant of your
code path? Some eth_len check mismatch?
 
>      n=alloc_skb(skb->len, GFP_KERNEL);
>      if (!n) {
> @@ -390,10 +395,8 @@
>      c->stat.rx_packets++;
>      return NULL;
> 
> -#if 0
>   framerr:
>      ++c->stat.rx_frame_errors; /* slightly abuse this */

Is this the cipe interface RX frame error counter you get with
ip -s li sh? Why not increase the drop counter too?

Cheers and thanks again,
Roberto Nibali, ratz

-- 
echo '[q]sa[ln0=aln256%Pln256/snlbx]sb3135071790101768542287578439snlbxq' | dc





<< | Thread Index | >> ]    [ << | Date Index | >> ]