Current-Users archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

Re: crash in in6_cksum

On Mon, 25 Feb 2008, Tatoku Ogaito wrote:

> >> In Message <>
>  at Wed, 20 Feb 2008 01:39:41 +0100 (CET)
>  "Arne H. Juul" <> wrote:
>  > I'm unable to boot a current kernel on my NetBSD/i386 machine, it crashes
>  > with panic "in6_cksum: mbuf too short for IPv6 header" at stack:
> Here is a "me, too".
> In my case, I could not get crash dump, here is a ten-finger copy
> -----------------------------------------------------------------------
> panic: in6_cksum: mbuf too short for IPv6 header
> Stopped in pid 0.3 (system) at  netbsd:breakpoint+0x4: popl  %ebp
> db{0}> bt
> breakpoint(c07e0148,cca1ca9c,c0805400,0,0) at netbsd:breakpoint+0x4
> panic(c077c8c0,0,f3,0,0)at netbsd:panic+0x1ba
> in6_cksum(c3333200,3a,28,cb,cca1cb70) at netbsd:in6_cksum+0x214
> icmp6_input(cca1cd38,cca1cd20,3a,cca1cd14,0) at netbsd:icmp6_input+0xfc
> ip6_input(c3333200,cca1820c,cca1cd80,c03c7079,0) at netbsd:ip6_input+0x8b4
> ip6intr(0,cc2c6b40,0,0,0) at netbsd:ip6intr+0x3f

this is caused because the IP6 header is not [completely] inside the first
mbuf. In fact in the dump that Arne produced, the header mbuf was
completely empty which I found can happen when the mbuf is badly built or
modified. I looked but I don't see where this happens and it looks rather
too complex for me [since I know 0 about ip6] but probably you might
locate the bad part more easily by adding assertions like so:

+       KASSERT(m->m_len >= sizeof(struct ip6_hdr));
        ip6 = mtod(m, struct ip6_hdr *);

liberally in the ip6_input routine and rebuilding the kernel with

Another suggestion might be which hardware are you using?  If it was the
interface driver that was creating the packet bad in the first place, that
might explain why some people see this and some do not..


Home | Main Index | Thread Index | Old Index