kern/61215: off-by-one error likely in ip_fragment()

Andre Oppermann andre at
Thu Jan 15 12:13:56 PST 2004

David Gilbert wrote:
> >>>>> "Andre" == Andre Oppermann <andre at> writes:
> Andre> David, the problem with if_gre is actually twofold:
> Andre>   - the change of htons(m->m_pkthdr.len) in the last commit to
> Andre> that file is incorrect.  In FreeBSD this is done in ip_output
> Andre> for all packets sent (unless RAW).
> Andre>   - The struct ip which is contained in struct gh is not
> Andre> correctly intialized.  For some reason this didn't matter until
> Andre> now.  It seems M_PREPREND may return non-zeroed memory.
> Andre> There is no problem in either ip_fragment() nor m_copym() (and
> Andre> the 'fix' I posted is bogus, however some of those KASSERTs are
> Andre> highly bogus too and misleading).
> Andre> Please try the attached patch.  I was able to get correct GRE
> Andre> packets with that patch (as seen by ethereal).
> Andre> I'm not sure if it is better to do a bzero() on the entire
> Andre> struct gh to have all ip header values set to zero for sure.
> Andre> There are still some that are unitialized.
> I'm not sure what's up.  Your patch wouldn't apply to v1.17 of my
> if_gre.c, so something's wrong with the patch.  Regardless, I applied
> the patch by hand and things didn't work yet.

Didn't it apply because of patch complaining or because it didn't
match at all?

> The kernel didn't crash, but packets routed into the tunnel didn't
> show up on the outbound interface.  I my case, the machine has three
> ethernet-like interfaces and the gre.
> wi0 and sis0 are internal networks.  dc0 is the external network
> interface.  A /32 route for the far end of the tunnel exists (and
> works on the new kernel ... it pings), but pings into the tunnel don't
> generate traffic on dc0 (at least according to tcpdump).

Do you enable "link1" on your GRE interface?

What does ifconfig -a show?


More information about the freebsd-current mailing list