Subject: Re: kern/34674: Panic in tcp_input() by integer division fault
To: None <dbj@NetBSD.org, gnats-admin@netbsd.org, netbsd-bugs@netbsd.org,>
From: Michael van Elst <mlelstv@serpens.de>
List: netbsd-bugs
Date: 10/01/2006 17:50:02
The following reply was made to PR kern/34674; it has been noted by GNATS.
From: Michael van Elst <mlelstv@serpens.de>
To: gnats-bugs@netbsd.org
Cc:
Subject: Re: kern/34674: Panic in tcp_input() by integer division fault
Date: Sun, 1 Oct 2006 19:49:08 +0200
christianbiere@gmx.de (Christian Biere) writes:
> > Michael van Elst wrote:
> > > *txsegsizep = min((so->so_snd.sb_hiwat -
> > > so->so_snd.sb_lowat + 1) >> 1, *txsegsizep);
>
> > As hiwat is guaranteed to be equal or larger than lowat, I guess changing
> > the "+ 2" should fix this because ">> 1" can never gain zero then. I'll
> > try this.
>
> This prevents the division-by-zero but still causes the other panic in
> m_copydata() from tcp_output() as before. Apparently "*txsegsizep"
> must not cross a certain minimum threshold.
I found
txsegsize_nosack = txsegsize;
[...]
txsegsize = txsegsize_nosack - TCP_SACK_OPTLEN(sack_numblks);
[...]
if (len > txsegsize) {
[...]
len = txsegsize;
len finally is used to m_copydata(). txsegsize is computed like above.
The minimum size is therefore at least TCP_SACK_OPTLEN(TCP_SACK_MAX) = 28.
--
Michael van Elst
Internet: mlelstv@serpens.de
"A potential Snark may lurk in every tree."