2.4.x crashes due to an IPv6 packet with invalid length

To:	<netdev@xxxxxxxxxxx>
Subject:	2.4.x crashes due to an IPv6 packet with invalid length
From:	Jozsef Kadlecsik <kadlec@xxxxxxxxxxxxxxxxx>
Date:	Fri, 6 Apr 2001 13:10:46 +0200 (CEST)
Sender:	owner-netdev@xxxxxxxxxxx

Hello,

We have been testing the IPv6 implementation of different Linux
kernel versions with TAHI (www.tahi.org) and the 56th test from the IPv6
Speficication series causes 2.4.x to crash.

The test is to check fragment reassembly when the length is invalid:

TEST PROCEDURE

  Tester                      Target
    |                           |
    |-------------------------->|
    |   Echo Request (1st)      |
    |                           |
    |                           |
    |-------------------------->|
    |   Echo Request (2nd)      |
    |                           |
    |                           |
    |<--------------------------|
    |   ICMP Error              |
    |                           |
    |                           |
    v                           v

  1. Send Echo Request (1st fragment)
  2. Send Echo Request (2nd fragment)
  3. Receive ICMP Error

  Echo Request (1st fragment) is:

        IPv6 Header
            Version            = 6
            Traffic Class      = 0
            FlowLabel          = 0
            PayloadLength      = 527 (not multiple of 8 octets)
            NextHeader         = 56 (Fragment Header)
            SourceAddress      = Tester Link Local Address
            DestinationAddress = Target Link Local Address

        Fragment Header
            NextHeader         = 58 (ICMP)
            FragmentOffset     = 0 (1st fragment)
            MFlag              = 1 (more fragment)

The last messages before the oops are:

Warning: kfree_skb passed an skb still on a list (from xxxxxx)

and it is from the kfree_skb called from ip6_frag_queue in reassemmbly.c

I hope this helps to find the bug (2.2.19 is OK).

Regards,
Jozsef
-
E-mail  : kadlec@xxxxxxxxxxxxxxxxx, kadlec@xxxxxxxxxxxxxxx
WWW-Home: http://www.kfki.hu/~kadlec
Address : KFKI Research Institute for Particle and Nuclear Physics
          H-1525 Budapest 114, POB. 49, Hungary

<Prev in Thread]	Current Thread	[Next in Thread>
2.4.x crashes due to an IPv6 packet with invalid length, Jozsef Kadlecsik <= Re: 2.4.x crashes due to an IPv6 packet with invalid length, kuznet Re: 2.4.x crashes due to an IPv6 packet with invalid length, Jozsef Kadlecsik Re: 2.4.x crashes due to an IPv6 packet with invalid length, Andi Kleen

Previous by Date:	ANNOUNCE: radvd-0.6.2pl1 is available, Nathan Lutchansky
Next by Date:	Re: 2.4.x crashes due to an IPv6 packet with invalid length, kuznet
Previous by Thread:	ANNOUNCE: radvd-0.6.2pl1 is available, Nathan Lutchansky
Next by Thread:	Re: 2.4.x crashes due to an IPv6 packet with invalid length, kuznet
Indexes:	[Date] [Thread] [Top] [All Lists]