Re: kern/50766 panic in tcp_input.c on the banana pi

[Michael van Elst <mlelstv%serpens.de@localhost>]

The following reply was made to PR kern/50766; it has been noted by GNATS.

From: Michael van Elst <mlelstv%serpens.de@localhost>
To: gnats-bugs%netbsd.org@localhost
Cc: 
Subject: Re: kern/50766 panic in tcp_input.c on the banana pi
Date: Sat, 5 Nov 2016 17:37:25 +0100

 I just got the same on evbmips running -current and analyzed it a bit.
 
 ip_input() and ip6_input() align the IP header by calling m_copyup when
 necessary to enforce alignment.
 
 However, the protocol input routines rely on m_pulldown() to achieve
 the same. This assumption breaks when IP header and protocol header
 (e.g. ICMP) are not contigous but in separate mbufs. There is no
 guarantee that the second mbuf is aligned.
 
 m_copyup() is part of the problem too. It copies the requested
 header size but rounds it up to 60 bytes. For a simple packet
 this copies part of the protocol header, which is therefore
 aligned, and the following m_pullup coalesces remaining bytes.
 
 But with ipv6-in-ipv4 encapsulation you have e.g.
 
 20 bytes IPv4
 40 bytes IPv6
 20 bytes TCP
 
 If this comes in aligned, everyone is happy.
 
 If this comes in unaligned, then ip_input will m_copyup 60 bytes,
 leaving the unaligned TCP header in the original mbuf.
 
 ip6_input will then see that its header is already aligned and
 do nothing regarding alignment.
 
 tcp_input will fail because the header isn't aligned and m_pullup
 doesn't change that.
 
 
 
 I have locally patched the protocol routines to use m_copyup as well.
 
 
 
 Greetings,
 -- 
                                 Michael van Elst
 Internet: mlelstv%serpens.de@localhost
                                 "A potential Snark may lurk in every tree."