Hello,
I just checked the 2.4.0 tree and this patch never made it.
Sorry, it's against an older kernel. The bug is that
icmpv6_param_prob() already frees the skb. I reported
this back in November.
Excerpt from RFC 2460:
If the length of a fragment, as derived from the fragment packet's
Payload Length field, is not a multiple of 8 octets and the M flag
of that fragment is 1, then that fragment must be discarded and an
ICMP Parameter Problem, Code 0, message should be sent to the
source of the fragment, pointing to the Payload Length field of
the fragment packet.
The latter part of the patch concerns sending param_prob even
when offset != 0. Alexey wrote in the comment otherwise though.
Regarding the IPv6 evaluations, I've been unable to to work on
them - being full-time employed and working on my thesis. Maybe,
I can resume when things get less hectic.
--- linux-2.4.0-test10/net/ipv6/reassembly.c Sat Jul 15 00:02:20 2000
+++ linux-2.4.0-test10.ipv6/net/ipv6/reassembly.c Sun Nov 5 01:31:43 2000
@@ -365,7 +365,7 @@
if ((unsigned int)end >= 65536) {
icmpv6_param_prob(skb,ICMPV6_HDR_FIELD, (u8*)&fhdr->frag_off);
- goto err;
+ return;
}
/* Is this the final fragment? */
@@ -383,16 +383,9 @@
* Required by the RFC.
*/
if (end & 0x7) {
- printk(KERN_DEBUG "fragment not rounded to 8bytes\n");
-
- /*
- It is not in specs, but I see no reasons
- to send an error in this case. --ANK
- */
- if (offset == 0)
- icmpv6_param_prob(skb, ICMPV6_HDR_FIELD,
- &skb->nh.ipv6h->payload_len);
- goto err;
+ icmpv6_param_prob(skb, ICMPV6_HDR_FIELD,
+ &skb->nh.ipv6h->payload_len);
+ return;
}
if (end > fq->len) {
/* Some bits beyond end -> corruption. */
Aki
|