|
Subject: |
Re: BUG: crasher [IMPORTANT PATCH] |
|
From: |
Roberto Nibali <ratz,AT,tac,DOT,ch> |
|
Date: |
Fri, 18 Jan 2002 15:41:47 +0100 |
|
In-reply-to: |
<E16NgCt-0001da-00@bigred.inka.de> |
Hello Olaf,
> This must be an old problem, why was it never found? :-) To my
Holy cow! That's why our cipe tunnels always crashed when
connecting with netcat and sending 7bytes + 1byte return!!!
> knowledge it exists in all published versions of CIPE. It causes a
Yes, it exists in all versions, 1.4.x -> 1.5.x. You could
trigger it with nmap and netcat. One bug less ... :)
> crash when CIPE receives too small packets. Thanks to Larry McVoy for
> alerting me to this bug.
>
> The attached patch is from the CVS but applies cleanly to 1.5.2.
Thanks for fixing it. I was getting irritated debugging it with
no success. And we run machines with up to 120 tunnels and 16
physical interfaces. The change of hitting it is huge.
> + if (length<cipehdrlen+(c->sockshost?sizeof(struct sockshdr):0)) {
> + printk(KERN_INFO "%s: got short packet from %s\n", c->dev->name,
> + cipe_ntoa(saddr(skb)));
> + goto framerr;
> + }
Verified trace:
(perl -e 'print "X"x41' | netcat -u -p 10209 tm 10209)
the module without the patch:
1 Jan 17 13:46:47 tm frcb9: got bogus length=1
3 Jan 17 13:46:57 tm frcb9: got bogus length=3
7 Jan 17 13:47:15 tm frcb9: got bogus length=7
9 Jan 17 13:47:21 tm frcb9: got bogus length=9
35 Jan 17 13:47:28 tm frcb9: got bogus length=35
36 Jan 17 13:47:35 tm frcb9: got bogus length=36
39 Jan 17 13:47:41 tm frcb9: got bogus length=39
40 no output!!!
41 Jan 17 13:47:54 tm frcb9: got bogus length=41
8 Jan 17 13:48:01 tm Unable to handle kernel paging request
^^^^^^^^^^^^^^^^^^^^^^^
boooooom!
with the patch:
1 Jan 17 13:34:36 tm frcb9: got short packet from 172.23.2.8
7 Jan 17 13:34:41 tm frcb9: got short packet from 172.23.2.8
8 Jan 17 13:34:47 tm frcb9: got short packet from 172.23.2.8
9 Jan 17 13:34:53 tm frcb9: got short packet from 172.23.2.8
35 Jan 17 13:35:01 tm frcb9: got short packet from 172.23.2.8
36 Jan 17 13:35:08 tm frcb9: got bogus length=36
39 Jan 17 13:35:23 tm frcb9: got bogus length=39
40 no output!!!
41 Jan 17 13:35:30 tm frcb9: got bogus length=41
Question: Why doesn't it log the 40 byte packets? Some packet
stripping which branches into a different invariant of your
code path? Some eth_len check mismatch?
> n=alloc_skb(skb->len, GFP_KERNEL);
> if (!n) {
> @@ -390,10 +395,8 @@
> c->stat.rx_packets++;
> return NULL;
>
> -#if 0
> framerr:
> ++c->stat.rx_frame_errors; /* slightly abuse this */
Is this the cipe interface RX frame error counter you get with
ip -s li sh? Why not increase the drop counter too?
Cheers and thanks again,
Roberto Nibali, ratz
--
echo '[q]sa[ln0=aln256%Pln256/snlbx]sb3135071790101768542287578439snlbxq' | dc