Relay-Version: version B 2.10 5/3/83; site utzoo.UUCP
Posting-Version: version B 2.10.2 9/18/84; site brl-tgr.ARPA
Path: utzoo!watmath!clyde!burl!ulysses!gamma!epsilon!zeta!sabre!petrus!bellcore!decvax!linus!philabs!cmcl2!seismo!brl-tgr!tgr!lcc.richard@locus.ucla.edu
From: lcc.richard@locus.ucla.edu (Richard Mathews)
Newsgroups: net.unix-wizards
Subject: tcp packet with options corrupts mbufs
Message-ID: <1022@brl-tgr.ARPA>
Date: Tue, 24-Dec-85 03:13:45 EST
Article-I.D.: brl-tgr.1022
Posted: Tue Dec 24 03:13:45 1985
Date-Received: Wed, 25-Dec-85 23:34:48 EST
Sender: news@brl-tgr.ARPA
Lines: 36

Description:
	If a packet includes tcp options, the m_len and m_off fields of
	the mbuf are set incorrectly.  I had this happen on a 4.1 system
	with 4.2 ipc added, but a glance at the 4.3 code indicates that
	the problem exists there as well.

Repeat-by:
	Send packets with tcp options to a system running 4.2 or 4.3.  We
	had someone who ran the "mget" command from "ftp" and consistantly
	got "panic: trap" in the bcopy called from sballoc.  He was sending
	files from a Gould to a Vax.  Bcopy was passed a length of -8.

Fix:
	In tcp_input(), change:
		/*
		 * Drop TCP and IP headers.
		 */
		off += sizeof (struct ip);
		m->m_off += off;
		m->m_len -= off;
	to:
		/*
		 * Drop TCP and IP headers.
		 */
		m->m_off += sizeof(struct tcpiphdr);
		m->m_len -= sizeof(struct tcpiphdr);

	Notice that this only makes a difference if the test
		if (off > sizeof (struct tcphdr))
	was true.

Richard M. Mathews
Locus Computing Corporation		       lcc.richard@LOCUS.UCLA.EDU
					       lcc.richard@UCLA-CS
			  {ihnp4,ucivax,trwrb}!lcc!richard
       {randvax,sdcrdcf,ucbvax,trwspp}!ucla-cs!lcc!richard