thomson@uthub.UUCP (Brian Thomson) (10/09/84)
Index: netinet/ip_input.c 4.2BSD Fix
Description:
When the IP input module drops a truncated packet it only
frees the last mbuf in the chain.
Repeat-By:
Procure a network interface that habitually truncates
incoming packets, so their actual length is less than
that implied by the length field in the IP header.
The RS232 interface driver from rick@seismo seems to do
this under sufficiently heavy load. (This is not a complaint;
interfaces are allowed to make mistakes).
Each time this happens, some data mbufs may be lost.
Fix:
In file netinet/ip_input.c, routine ipintr() accumulates
the data size of the incoming packet by chaining down the
linked list of mbufs, and compares this size with the data
length indicated in the IP header. If the packet is too short,
the following code is exercised:
if (i < 0) {
ipstat.ips_tooshort++;
goto bad;
}
...
bad:
m_freem(m);
goto next;
}
But variable m was used to follow the links in the mbuf list, and
now points at the last mbuf in the list rather than the first,
so only the last one gets freed. The fix is to add 1 line:
if (i < 0) {
ipstat.ips_tooshort++;
m = m0;
goto bad;
}
P.S.: netstat -s incorrectly labels this statistic as
number of packets "with size less than minimum"; it
is actually the number of packets "with data size < data length".
The "size less than minimum" statistic is ipstat.ips_toosmall.
--
Brian Thomson, CSRI Univ. of Toronto
{linus,ihnp4,uw-beaver,floyd,utzoo}!utcsrgv!uthub!thomson