Subject: Syn cache corrupts kernel data!!
To: None <current-users@NetBSD.ORG, thorpej@NetBSD.ORG>
From: Juergen Hannken-Illjes <>
List: current-users
Date: 07/27/1997 19:00:22
I found a severe bug due to the new `syn_cache' functionality in netinet/tcp_input.c

The problem:

A mbuf comes into `tcp_input' and goes through line 601 where TCP, IP headers and TCP
options are dropped from the mbuf.
At line 815 a `goto findpcb' occurs and the (now stripped down) mbuf comes to line 465
and enters `syn_cache_add()'.
This function treats the mbuf as a complete tcpip header and therefore modifies data
AFTER the mbuf.
In the best case I get `Data modified on freelist' messages, but most time the system

I don't know how to fix this problem in a clean way. The following patch makes things
better by saving the mbuf's data and length before `findpcb:' and restoring them just
after the label.

--- tcp_input.c-	Fri Jul 25 18:45:26 1997
+++ tcp_input.c	Sun Jul 27 18:41:32 1997
@@ -291,4 +291,6 @@
 	struct tcp_opt_info opti;
 	int iphlen;
+/*YYY*/ caddr_t initial_data;
+/*YYY*/	int initial_len;
 	va_list ap;
@@ -383,5 +385,9 @@
 	 * Locate pcb for segment.
+/*YYY*/ initial_data = m->m_data;
+/*YYY*/ initial_len = m->m_len;
+/*YYY*/ m->m_data = initial_data;
+/*YYY*/ m->m_len = initial_len;
 	inp = in_pcblookup_connect(&tcbtable, ti->ti_src, ti->ti_sport,
 	    ti->ti_dst, ti->ti_dport);

Juergen Hannken-Illjes - - TU Braunschweig (Germany)