Hi,
We are writing this to report two bugs we have found from the Linux
2.3.99-pre5 IPv6 code. The first one relates to incorrect ICMP behaviour
if extension headers are present (e.g. fragment header or destination
options header). The second one considers an incorrect way to free a skb.
Patches are attached and at least they work fine with our test cases.
Bug 1.
======
In raw.c (icmpv6_filter), the following expression expects that ICMP
header immediately follows the IPv6 header, which obviously is not always
the case:
icmph = (struct icmp6hdr *) (skb->nh.ipv6h + 1);
a more correct expression would be:
icmph = (struct icmp6hdr *) skb->h;
Bug 2.
======
In ip6_output.c (ip6_xmit), kfree is used to free a skb. The correct way
would obviously be to use kfree_skb.
Sami Kivisaari
===
diff -urN v2.3.99-pre5/net/ipv6/ip6_output.c linux/net/ipv6/ip6_output.c
--- v2.3.99-pre5/net/ipv6/ip6_output.c Thu Mar 2 21:41:11 2000
+++ linux/net/ipv6/ip6_output.c Wed Apr 19 15:30:27 2000
@@ -200,7 +200,7 @@
if (skb_headroom(skb) < head_room) {
struct sk_buff *skb2 = skb_realloc_headroom(skb,
head_room);
- kfree(skb);
+ kfree_skb(skb);
skb = skb2;
if (skb == NULL)
return -ENOBUFS;
diff -urN v2.3.99-pre5/net/ipv6/raw.c linux/net/ipv6/raw.c
--- v2.3.99-pre5/net/ipv6/raw.c Mon Feb 28 04:45:10 2000
+++ linux/net/ipv6/raw.c Fri Apr 14 21:02:30 2000
@@ -115,7 +115,7 @@
struct raw6_opt *opt;
opt = &sk->tp_pinfo.tp_raw;
- icmph = (struct icmp6hdr *) (skb->nh.ipv6h + 1);
+ icmph = (struct icmp6hdr *) skb->h.raw;
return test_bit(icmph->icmp6_type, &opt->filter);
}
|