>
>
> Hello ppl.
>
> Last week i was playing with my old linux 2.0.36 i486 box, while i was playing with the command ping and trying combinations of commands
> i found that when u do a ping -s 65468 -R ANYIPADDRESS ( -R record route) the system starts to print on the screen kernel dumps
> , freezes complitely and after few secconds the system reboots.
>
I didn't look in 2.0.38 yet but in 2.0.36 the problem is in net/ipv4/ip_output.c in ip_build_xmit.
Here a short int (length) is used to compute the length of the ip packet. At first length contains the length of the packet without the header, then the ip header
length is added:
if (!sk->ip_hdrincl) {
length += sizeof(struct iphdr);
if(opt) length += opt->optlen;
}
ping -s 65468 -R generates a packet that looks like:
ip header: 20 bytes
ip options: 40 bytes
icmp header: 8 bytes
icmp data: 65468 bytes
If you add all this up you obtain 65536, but length is a short int so length will be 0!
A quick way to fix this bug is to add the following if, after the one above:
if (length < 20){
printk("<1> ip_build_xmit: ERROR: packet too big! "
"dropping...\n");
return -EPERM;
}
However if the length of the packet "overflows" 65535 by more than 20 bytes you could have trouble. I do not now well enough the Linux networking code (yet :)) so
maybe one of you can write a better solution. Also I should not probably return EPERM and use printk("<1>")...
Andrei
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.rutgers.edu
Please read the FAQ at http://www.tux.org/lkml/