Subject: IP_HDRINCL send on little-endian machine causes kernel panic
To: None <current-users@NetBSD.ORG, tech-kern@NetBSD.ORG>
From: Jonathan Stone <jonathan@dsg.stanford.edu>
List: tech-kern
Date: 07/22/1996 15:34:44
hi,
It seems that NetBSD 1.2 (and I presume -current) have a bug in
sending IP_HDRINCL packets on little-endian machines. Little-endian
kernels will panic when sending a legitimate packet on a raw socket
with IP_HDRINCL set.
The kernel assumes that outbound IP packets have the ip_len and ip_off
in machine native byteorder. io_output() converts these fields
to network byte order immediately before checksumming a packet and
sending it to an interface output routine. Until then, ip_output
interprets these fields in host byteorder.
sys/netinet/raw_ip.c:rip_output() is taking the header it gets from a
socket with IP_HDRINCL set, and passing it into the kernel. I
_assume_ that the intended user/kernel interface is that packets
written to a raw socket with IP_HDRINCL specify the total length and
offset fields in network byte order. If so, rip_output should be
byteswapping those fields. It isn't.
The consequence is that if one uses a raw socket to send an IP packet
with a preformatted header on a little-endian machine, with a
network-order IP length, this length is interpreted in host byteorder
inside ip_output(). (For example, an IP datagram of length
40 bytes is treated as being 102400 bytes long).
When ip_output() examines the byteswapped IP length field, it computes
that a packet that's actually within the interface MTU (e.g., 40
bytes) needs fragmenting, computes how big a fragment it can send, and
calls m_copym() to construct the fragment. Since the packet isn't
acually that big, m_copym() panics.
I'm guessing that the following an appropriate fix. Is it remotely
possible that the IP_HDRINCL interface is _meant_ to export the
kernel's assumption that, on output, ip_len and ip_off are in native
host byteorder??
*** raw_ip.c Sun May 26 04:42:43 1996
--- raw_ip.c.dsg Mon Jul 22 15:25:21 1996
***************
*** 186,191 ****
--- 186,194 ----
if (ip->ip_id == 0)
ip->ip_id = htons(ip_id++);
opts = NULL;
+ /* XXX ip_output assumes ip_len and ip_off in host byteorder */
+ ip->ip_len = ntohs(ip->ip_len);
+ ip->ip_off = ntohs(ip->ip_off);
/* XXX prevent ip_output from overwriting header fields */
flags |= IP_RAWOUTPUT;
ipstat.ips_rawout++;