On Wed, Apr 18, 2007 at 10:39:41AM -0400, Dave Johnson wrote: > the following conditions: > > 1) The TCP code needs to split a full-sized packet due to a reduced > MSS (typically due to the addition of TCP options mid-stream like > SACK). > _AND_ > 2) The checksum of the 2nd fragment is larger than the checksum of the > original packet. After subtraction this results in a checksum for > the 1st fragment with bits 16..31 set to 1. (this is ok) > _AND_ > 3) The checksum of the 1st fragment's TCP header plus the previously > 32bit checksum of the 1st fragment DOES NOT cause a 32bit overflow > when added together. This results in a checksum of the TCP header > plus TCP data that still has the upper 16 bits as 1's. > _THEN_ > 4) The TCP+data checksum is added to the checksum of the pseudo IP > header with csum_tcpudp_nofold() incorrectly (the bug). > > The problem is the checksum of the TCP+data is passed to > csum_tcpudp_nofold() as an 32bit unsigned value, however the assembly > code acts on it as if it is a 64bit unsigned value. > > This causes an incorrect 32->64bit extension if the sum has bit 31 > set. The resulting checksum is off by one. Sigh. The second bug of this kind. As clever and apparently elegent as the sign extension stuff happens to look on MIPS as prone to unobvious accidents it is at times. Oh well. Applied & thanks! Ralf