>Number:         3577
>Category:       kern
>Synopsis:       UDP-packet length calculation wrong
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    kern-bug-people (Kernel Bug People)
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Mon May  5 08:50:03 1997
>Last-Modified:
>Originator:     Heiko W.Rupp
>Organization:
Heiko W.Rupp        Gerwigstr.5        D-76131  Karlsruhe    +49 721 9661524
>Release:        1.1
>Environment:
	
System: NetBSD snert.pilhuhn.de 1.1 NetBSD 1.1 (SNERT+PPP) #11: Thu Jan 30 11:00:49 MET 1997 hwr@snert.pilhuhn.de:/usr/src/sys/arch/i386/compile/SNERT+PPP i386


>Description:

	Received UDP packets with more than 2^15 Bytes in size are thrown 
	away by the system.

	From looking at the code (and also at TCP/IP Illustrated II), this
	seems to be a signed/unsigned 

>How-To-Repeat:

	Send UDP packets with more than 2^15 in length to the host,
	look at ``netstat -s | tail '' before and after sending. The
	value of the ``xx with bad data length field''  line will increase
 	by the packet count.

>Fix:

	From looking at the code it seems that this is the offending line:

	netinet/udp_usrreq.c:

void
udp_input(m, iphlen)
        register struct mbuf *m;
        int iphlen;
{
        register struct ip *ip;
        register struct udphdr *uh;
        register struct inpcb *inp;
        struct mbuf *opts = 0;
>Audit-Trail:
>Unformatted:
>>        int len;
        struct ip save_ip;  

(I am not sure tough).