From af35a0e29628b7bf52cd2e04d9f4e98d26036981 Mon Sep 17 00:00:00 2001 From: np Date: Wed, 24 Jan 2018 05:09:21 +0000 Subject: [PATCH] Do not generate illegal mbuf chains during IP fragment reassembly. Only the first mbuf of the reassembled datagram should have a pkthdr. This was discovered with cxgbe(4) + IPSEC + ping with payload more than interface MTU. cxgbe can generate !M_WRITEABLE mbufs and this results in m_unshare being called on the reassembled datagram, and it complains: panic: m_unshare: m0 0xfffff80020f82600, m 0xfffff8005d054100 has M_PKTHDR PR: 224922 Reviewed by: ae@ MFC after: 1 week Sponsored by: Chelsio Communications Differential Revision: https://reviews.freebsd.org/D14009 --- sys/netinet/ip_reass.c | 1 + sys/netinet6/frag6.c | 1 + 2 files changed, 2 insertions(+) diff --git a/sys/netinet/ip_reass.c b/sys/netinet/ip_reass.c index fbf9c176956d..6e83800ee7ea 100644 --- a/sys/netinet/ip_reass.c +++ b/sys/netinet/ip_reass.c @@ -377,6 +377,7 @@ ip_reass(struct mbuf *m) q->m_nextpkt = NULL; m->m_pkthdr.csum_flags &= q->m_pkthdr.csum_flags; m->m_pkthdr.csum_data += q->m_pkthdr.csum_data; + m_demote_pkthdr(q); m_cat(m, q); } /* diff --git a/sys/netinet6/frag6.c b/sys/netinet6/frag6.c index 0384c7fdc80d..3b2773f812f8 100644 --- a/sys/netinet6/frag6.c +++ b/sys/netinet6/frag6.c @@ -541,6 +541,7 @@ frag6_input(struct mbuf **mp, int *offp, int proto) while (t->m_next) t = t->m_next; m_adj(IP6_REASS_MBUF(af6), af6->ip6af_offset); + m_demote_pkthdr(IP6_REASS_MBUF(af6)); m_cat(t, IP6_REASS_MBUF(af6)); free(af6, M_FTABLE); af6 = af6dwn;