svn commit: r328314 - in head/sys: netinet netinet6
Navdeep Parhar
np at FreeBSD.org
Wed Jan 24 05:09:22 UTC 2018
Author: np
Date: Wed Jan 24 05:09:21 2018
New Revision: 328314
URL: https://svnweb.freebsd.org/changeset/base/328314
Log:
Do not generate illegal mbuf chains during IP fragment reassembly. Only
the first mbuf of the reassembled datagram should have a pkthdr.
This was discovered with cxgbe(4) + IPSEC + ping with payload more than
interface MTU. cxgbe can generate !M_WRITEABLE mbufs and this results
in m_unshare being called on the reassembled datagram, and it complains:
panic: m_unshare: m0 0xfffff80020f82600, m 0xfffff8005d054100 has M_PKTHDR
PR: 224922
Reviewed by: ae@
MFC after: 1 week
Sponsored by: Chelsio Communications
Differential Revision: https://reviews.freebsd.org/D14009
Modified:
head/sys/netinet/ip_reass.c
head/sys/netinet6/frag6.c
Modified: head/sys/netinet/ip_reass.c
==============================================================================
--- head/sys/netinet/ip_reass.c Wed Jan 24 04:29:16 2018 (r328313)
+++ head/sys/netinet/ip_reass.c Wed Jan 24 05:09:21 2018 (r328314)
@@ -377,6 +377,7 @@ ip_reass(struct mbuf *m)
q->m_nextpkt = NULL;
m->m_pkthdr.csum_flags &= q->m_pkthdr.csum_flags;
m->m_pkthdr.csum_data += q->m_pkthdr.csum_data;
+ m_demote_pkthdr(q);
m_cat(m, q);
}
/*
Modified: head/sys/netinet6/frag6.c
==============================================================================
--- head/sys/netinet6/frag6.c Wed Jan 24 04:29:16 2018 (r328313)
+++ head/sys/netinet6/frag6.c Wed Jan 24 05:09:21 2018 (r328314)
@@ -541,6 +541,7 @@ insert:
while (t->m_next)
t = t->m_next;
m_adj(IP6_REASS_MBUF(af6), af6->ip6af_offset);
+ m_demote_pkthdr(IP6_REASS_MBUF(af6));
m_cat(t, IP6_REASS_MBUF(af6));
free(af6, M_FTABLE);
af6 = af6dwn;
More information about the svn-src-all
mailing list