NetBSD Problem Report #49834
From www@NetBSD.org Fri Apr 10 22:20:43 2015
Return-Path: <www@NetBSD.org>
Received: from mail.netbsd.org (mail.netbsd.org [149.20.53.66])
(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
(Client CN "mail.netbsd.org", Issuer "Postmaster NetBSD.org" (not verified))
by mollari.NetBSD.org (Postfix) with ESMTPS id 1322AA582D
for <gnats-bugs@gnats.NetBSD.org>; Fri, 10 Apr 2015 22:20:43 +0000 (UTC)
Message-Id: <20150410222041.91E8EA65BB@mollari.NetBSD.org>
Date: Fri, 10 Apr 2015 22:20:41 +0000 (UTC)
From: nbsd.pr@fenyo.net
Reply-To: nbsd.pr@fenyo.net
To: gnats-bugs@NetBSD.org
Subject: invalid mbuf size comparison when dealing with neighbor solicitations and advertisements
X-Send-Pr-Version: www-1.0
>Number: 49834
>Category: kern
>Synopsis: invalid mbuf size comparison when dealing with neighbor solicitations and advertisements
>Confidential: no
>Severity: non-critical
>Priority: low
>Responsible: kern-bug-people
>State: closed
>Class: sw-bug
>Submitter-Id: net
>Arrival-Date: Fri Apr 10 22:25:00 +0000 2015
>Closed-Date: Thu May 17 12:11:23 +0000 2018
>Last-Modified: Thu May 17 12:11:23 +0000 2018
>Originator: Alexandre FENYO
>Release: NetBSD current
>Organization:
>Environment:
every ports (I think the bug comes from KAME, since it was integrated in NetBSD 1.5)
>Description:
In kernel file src/sys/netinet6/nd6_nbr.c, two mbuf size comparisons are erroneous:
Excerpt from line 374 to 477:
if (max_linkhdr + maxlen >= MCLBYTES) {
printf("nd6_ns_output: max_linkhdr + maxlen >= MCLBYTES "
"(%d + %d > %d)\n", max_linkhdr, maxlen, MCLBYTES);
panic("nd6_ns_output: insufficient MCLBYTES");
The two tests ">=" should be ">", like it is correctly written in the last second line of the printf: "(%d + %d > %d)\n"
This is a bug because if max_linkhdr + maxlen == MCLBYTES, the packet can be handled correctly: there is enough space in the mbuf cluster.
The same mistake is done in the same file, from line 873 to 876:
if (max_linkhdr + maxlen >= MCLBYTES) {
printf("nd6_na_output: max_linkhdr + maxlen >= MCLBYTES "
"(%d + %d > %d)\n", max_linkhdr, maxlen, MCLBYTES);
panic("nd6_na_output: insufficient MCLBYTES");
Anyway, this is a very minor bug since this case should never happen: the Neigbor Advertisement and Neighbor Solicitation packets are always small enough to be contained in a single MBUF cluster. But the code is wrong, the code would be nicer if it was corrected.
>How-To-Repeat:
>Fix:
Rewrite code like that:
from line 374 to 477:
if (max_linkhdr + maxlen > MCLBYTES) {
printf("nd6_ns_output: max_linkhdr + maxlen > MCLBYTES "
"(%d + %d > %d)\n", max_linkhdr, maxlen, MCLBYTES);
panic("nd6_ns_output: insufficient MCLBYTES");
And from line 873 to 876:
if (max_linkhdr + maxlen > MCLBYTES) {
printf("nd6_na_output: max_linkhdr + maxlen > MCLBYTES "
"(%d + %d > %d)\n", max_linkhdr, maxlen, MCLBYTES);
panic("nd6_na_output: insufficient MCLBYTES");
>Release-Note:
>Audit-Trail:
From: "Maxime Villard" <maxv@netbsd.org>
To: gnats-bugs@gnats.NetBSD.org
Cc:
Subject: PR/49834 CVS commit: src/sys/netinet6
Date: Thu, 17 May 2018 12:07:48 +0000
Module Name: src
Committed By: maxv
Date: Thu May 17 12:07:48 UTC 2018
Modified Files:
src/sys/netinet6: nd6_nbr.c
Log Message:
Fix the KASSERTs. It doesn't matter at all since the packet can't be this
big anyway, and there are many other places that have this kind of typo;
but still fix it, for the sake of closing PR/49834.
To generate a diff of this commit:
cvs rdiff -u -r1.154 -r1.155 src/sys/netinet6/nd6_nbr.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
State-Changed-From-To: open->closed
State-Changed-By: maxv@NetBSD.org
State-Changed-When: Thu, 17 May 2018 12:11:23 +0000
State-Changed-Why:
Fixed, thanks.
>Unformatted:
(Contact us)
$NetBSD: query-full-pr,v 1.43 2018/01/16 07:36:43 maya Exp $
$NetBSD: gnats_config.sh,v 1.9 2014/08/02 14:16:04 spz Exp $
Copyright © 1994-2017
The NetBSD Foundation, Inc. ALL RIGHTS RESERVED.