kern/49834: invalid mbuf size comparison when dealing with neighbor solicitations and advertisements

To: kern-bug-people%netbsd.org@localhost,gnats-admin%netbsd.org@localhost,netbsd-bugs%netbsd.org@localhost
Subject: kern/49834: invalid mbuf size comparison when dealing with neighbor solicitations and advertisements
From: nbsd.pr%fenyo.net@localhost
Date: Fri, 10 Apr 2015 22:25:00 +0000 (UTC)

>Number:         49834
>Category:       kern
>Synopsis:       invalid mbuf size comparison when dealing with neighbor solicitations and advertisements
>Confidential:   no
>Severity:       non-critical
>Priority:       low
>Responsible:    kern-bug-people
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Fri Apr 10 22:25:00 +0000 2015
>Originator:     Alexandre FENYO
>Release:        NetBSD current
>Organization:
>Environment:
every ports (I think the bug comes from KAME, since it was integrated in NetBSD 1.5)
>Description:
In kernel file src/sys/netinet6/nd6_nbr.c, two mbuf size comparisons are erroneous:

Excerpt from line 374 to 477:
	if (max_linkhdr + maxlen >= MCLBYTES) {
		printf("nd6_ns_output: max_linkhdr + maxlen >= MCLBYTES "
		    "(%d + %d > %d)\n", max_linkhdr, maxlen, MCLBYTES);
		panic("nd6_ns_output: insufficient MCLBYTES");

The two tests ">=" should be ">", like it is correctly written in the last second line of the printf: "(%d + %d > %d)\n"

This is a bug because if max_linkhdr + maxlen == MCLBYTES, the packet can be handled correctly: there is enough space in the mbuf cluster.

The same mistake is done in the same file, from line 873 to 876:
	if (max_linkhdr + maxlen >= MCLBYTES) {
		printf("nd6_na_output: max_linkhdr + maxlen >= MCLBYTES "
		    "(%d + %d > %d)\n", max_linkhdr, maxlen, MCLBYTES);
		panic("nd6_na_output: insufficient MCLBYTES");

Anyway, this is a very minor bug since this case should never happen: the Neigbor Advertisement and Neighbor Solicitation packets are always small enough to be contained in a single MBUF cluster. But the code is wrong, the code would be nicer if it was corrected.
>How-To-Repeat:

>Fix:
Rewrite code like that:

from line 374 to 477:
	if (max_linkhdr + maxlen > MCLBYTES) {
		printf("nd6_ns_output: max_linkhdr + maxlen > MCLBYTES "
		    "(%d + %d > %d)\n", max_linkhdr, maxlen, MCLBYTES);
		panic("nd6_ns_output: insufficient MCLBYTES");

And from line 873 to 876:
	if (max_linkhdr + maxlen > MCLBYTES) {
		printf("nd6_na_output: max_linkhdr + maxlen > MCLBYTES "
		    "(%d + %d > %d)\n", max_linkhdr, maxlen, MCLBYTES);
		panic("nd6_na_output: insufficient MCLBYTES");

Prev by Date: PR/48109 CVS commit: [netbsd-7] src
Next by Date: NetBSD Nightly Trouble Ticket Report
Previous by Thread: PR/48109 CVS commit: [netbsd-7] src
Next by Thread: Re: bin/29225 (cpio -pdm does not work)
Indexes:

Home | Main Index | Thread Index | Old Index