Hello All.
I found the bug in IPv6 of linux kernel2.6.7.
My analysis shows that the kernel treat the IPv6 fragment wrongly.
If IPv6 data length + IPv6 header > mtu,
we should divide the IPv6 datagram into fragments.
But the function ip6_append_data() treats it wrongly.
It's judged by the following wrong condition:
If IPv6 data length + IPv6 header + IPv6 fragment option header > mtu,
then divide the IPv6 datagram into fragments.
The patch to kernel2.6.7 to solve this problem is shown below.
--- linux-2.6.7/net/ipv6/ip6_output.c 2004-07-02 04:20:42.000000000 -0400
+++ linux-2.6.7/net/ipv6/ip6_output.c 2004-07-05 11:20:17.000000000 -0400
@@ -894,7 +894,10 @@
unsigned int alloclen;
BUG_TRAP(copy == 0);
alloc_new_skb:
- datalen = maxfraglen - fragheaderlen;
+ if(length <= (mtu - sizeof(struct ipv6hdr)) )
+ datalen = mtu - sizeof(struct ipv6hdr);
+ else
+ datalen = maxfraglen - fragheaderlen;
if (datalen > length)
datalen = length;
fraglen = datalen + fragheaderlen;
Regards,
Ueki Kohei
-
: send the line "unsubscribe linux-net" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
