>Number:         367
>Category:       kern
>Synopsis:       pppgetm() only allocates one mbuf for input packets
>Confidential:   no
>Severity:       critical
>Priority:       high
>Responsible:    gnats-admin (Kernel Bug People)
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Tue Jul 26 22:35:06 1994
>Originator:     Michael Hitch
>Organization:
	Montana State University
>Release:        NetBSD 1.0_BETA July 25
>Environment:
	
System: NetBSD amiga.oscs.montana.edu 1.0_BETA NetBSD 1.0_BETA (ZEUS) #940725.5: Tue Jul 26 22:27:47 1994 root@amiga.oscs.montana.edu:/opt/sys/arch/amiga/compile/ZEUS amiga
Architecture: amiga

>Description:
	
	When if_ppp.c allocates mbufs, the pppgetm() routine only allocates
	a single mbuf.  If a packet is received that won't fit in a single
	mbuf, the attempt to allocate space for the packet will fail and the
	packet will be dropped.
	The problem is that pppgetm() sets up the pointer to the first mbuf,
	but never advances the pointer for the additional mbuf(s), but does
	account for the non-allocated mbuf(s).  As a result, only one mbuf
	is allocated when more than one is required, but no error is returned.
>How-To-Repeat:
	
	Telnet or rlogin from NetBSD to another system and run something
	that outputs any large amount of data, enough so that the ppp packet
	length will be larger that one mbuf can hold.  The telnet/rlogin
	session will then hang because the packet is thrown away.  [This
	requires that the MTU of the ppp link is larger than 1 mbuf.]
>Fix:
	
	This patch fixes pppgetm() to update the pointer to next mbuf as
	it traverses the mbuf chain.

*** /mnt/src/sys/net/if_ppp.c	Thu Jul 21 22:18:05 1994
--- /opt/sys/net/if_ppp.c	Tue Jul 26 23:02:34 1994
***************
*** 1030,1035 ****
--- 1030,1036 ----
  	    MCLGET(m, M_DONTWAIT);
  	}
  	len -= M_DATASIZE(m);
+ 	mp = &m->m_next;
      }
      splx(s);
      return len <= 0;
>Audit-Trail:
>Unformatted:


------------------------------------------------------------------------------