netbsd-bugs: kern/10195: fxp0 (and possibly tlp0 and others) corrupt raw IP packets

Subject: kern/10195: fxp0 (and possibly tlp0 and others) corrupt raw IP packets
To: None <gnats-bugs@gnats.netbsd.org>
From: None <chopps@merit.edu>
List: netbsd-bugs
Date: 05/24/2000 12:26:13

>Number:         10195
>Category:       kern
>Synopsis:       fxp0 (and possibly tlp0 and others) corrupt raw IP packets
>Confidential:   no
>Severity:       critical
>Priority:       high
>Responsible:    kern-bug-people
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Wed May 24 12:27:00 PDT 2000
>Closed-Date:
>Last-Modified:
>Originator:     Christian E. Hopps
>Release:        May 7, 2000
>Organization:
	None
>Environment:
	
System: NetBSD defoe 1.4Y NetBSD 1.4Y (GATED) #13: Wed May 24 14:51:22 EDT 2000     chopps@sulfur:/usr/src/sys/arch/i386/compile/GATED i386

>Description:
	The ip_len field of a raw-IP packet that is comprised of at least
	2 mbufs in a chain is being byte-swapped, at least on i386, back
	into host order.  This byte-swap occurs sometime after queueing it
	on the actual interface output queue.  This was verified by examining
	the ip_len field in the mbuf immediately prior and after queueing in
	ether_output().

	Note: packets sent e.g., on SOCK_DRAM do not seem to be corrupted
	and also packets sent non-broadcast do not seem to be corrupted.

	The DGRAM case was not fully investigated.. It could be that
	for packets sent on a DGRAM socket different mbufs chaining occurs.

>How-To-Repeat:

	non-corrupting version:
		ping -n <broadcast>

	corrupting version:
		pin -s 144 -n <broadcast>

	The payload size of 144 forces the packet to be created with
	an mbuf chain instead of a single mbuf.

>Fix:

	Uknown.
>Release-Note:
>Audit-Trail:
>Unformatted: