off-by-one error in ip_fragment, recently.

David Gilbert dgilbert at
Sat Jan 10 17:59:55 PST 2004

>>>>> "Andre" == Andre Oppermann <andre at> writes:

Andre> There are two possible ways this can happen: The function
Andre> m_copym was called with off == 0, or off == m->m_len.  Neither
Andre> is supposed to happen (obviously) so the bug must be in
Andre> ip_fragment.  Lets have a look at that next...

I got there pretty quickly, too.

Andre> Is this panic reproduceable?  What kind of traffic was going on
Andre> at that time?  Or was it right away when you started using the
Andre> GRE tunnel?

It happens during the boot.  I'm working on clearing off a drive so
that I can get a crash dump with symbols.

I have the following in rc.conf:

ifconfig_wi0="inet x.y.z.105/29 media autoselect mode 11b mediaopt hostap ssid channel 11"
ifconfig_gre0="inet x.y.z.114 x.y.z.113 netmask tunnel a.b.27.151 x.y.z.17"
ifconfig_sis0="inet x.y.z.81/28"
static_routes="tunnel default"
route_tunnel="x.y.z.17/32 a.b.24.1"
route_default="default x.y.z.113"

dhcp picks up a.b.27.151 from my cable provider relatively
dependably.  So wi0 and sis0 are internal networks and dc0 is the
external interface.  gre0 runs over dc0.

The crash happens after a few of the daemons start.  It's a UDP send
that's large enough to fragment.  It could be a large dns packet or
ntp.  Not sure exactly.

Andre> Could you please open a PR with this information too?  It helps
Andre> keeping track of the progress.

I'll be opening the PR tomorrow once I have a crash dump and a better

This configuration is working in a kernel from 5.1-CURRENT built in


|David Gilbert, Independent Contractor.       | Two things can only be     |
|Mail:       dave at                    |  equal if and only if they |
|                              |   are precisely opposite.  |

More information about the freebsd-net mailing list