lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <20120215195837.GA6754@elliptictech.com>
Date:	Wed, 15 Feb 2012 14:58:37 -0500
From:	Nick Bowler <nbowler@...iptictech.com>
To:	Eric Dumazet <eric.dumazet@...il.com>
Cc:	netdev@...r.kernel.org,
	Realtek linux nic maintainers <nic_swsd@...ltek.com>,
	Francois Romieu <romieu@...zoreil.com>
Subject: Re: Bogus frames transmitted with r8169 & fragmentation & large mtu

On 2012-02-15 20:13 +0100, Eric Dumazet wrote:
> Le mercredi 15 février 2012 à 11:37 -0500, Nick Bowler a écrit :
> > We were testing IPsec with large mtu sizes (9000 bytes) and noticed the
> > occasional failure with large datagrams (requiring several fragments,
> > >=25k bytes or so).  Investigating further, I was able to reproduce the
> > issue without using IPsec at all.  Looking at the wireshark capture I
> > see that one of the fragments transmitted is totally bogus: portions of
> > the payload data have made it onto the wire as the headers.  My test
> > case was this:
> > 
> >   ping -c 1 -s 30000 -p 42 birch
> > 
> > which is split into 4 frames, 3 of which (first, second and last) look
> > correct but the fourth consists entirely of 0x42 octets, including the
> > ethernet and IP headers (so the source address is 42:42:42:42:42:42, the
> > destination address is 42:42:42:42:42:42, ethertype is 0x4242, etc.)
> > I've attached the wireshark capture (gzipped) since it's small enough.
> > Nevertheless, the total length is correct for the missing fragment.
[...]
> Interesting, but 2nd frame is also corrupted (not at the start but in
> the middle)

So it is, I missed that.  That looks like the missing headers stuck in
the middle of that frame, although the fragment offset appears to be
wrong (and the more fragments flag is clear).  There's also two 0 bytes
slightly before the headers.

> Where was taken this trace exactly ?

Wireshark was run on the receiving machine (birch), but it was captured
using a separate NIC via a monitor port on the switch.

Thanks,
-- 
Nick Bowler, Elliptic Technologies (http://www.elliptictech.com/)

--
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ