Hampton@DOCKMASTER.arpa (David R. Hampton) (11/23/87)
Subject: Bug in BSD4.2 IP option fragmentation and reassembly
Index: netinet/ip_input.c
netinet/ip_output.c
Description:
This problem occurs only on outgoing IP packets that must be
fragmented, and incoming fragments that must be reassembled.
The problem exists because the fragmentation and reassembly
routines use the size of a standard IP header (20 bytes) in
their calculations for determining where the IP data begins.
Note that the routine that does the actual copying of options
functions correctly.
Repeat-by:
This is kind of hard to do if your system doesn't implement
outgoing IP options. (Standard 4.2 doesn't.) If you can find
a host that implements options, send fragmented packets
containing a copy-on-fragmentation option to your 4.2 host.
IP receives all of them, but it never passes them off to TCP.
Fix:
***** netinet/ip_output.c *****
140c140,141
< m->m_len -= sizeof (struct ip);
< m->m_off += sizeof (struct ip);
---
> m->m_len -= hlen;
> m->m_off += hlen;
165c165
< mhip->ip_len += sizeof (struct ip);
---
> mhip->ip_len += mh->m_len;
***** netinet/ip_input.c *****
356c356,357
< m->m_len += sizeof (struct ipasfrag);
< m->m_off -= sizeof (struct ipasfrag);
---
> m->m_len += ((struct ip*) ip)->ip_hl << 2;
> m->m_off -= ((struct ip*) ip)->ip_hl << 2;