Hi All,
I traced the core dump of a segfaulting tinc (1.1pre16) and found that
the problem occurs when dest->mtu is 0 in
src/route.c:607:fragment_ipv4_packet()
maxlen = (dest->mtu - ether_size - ip_size) & ~0x7;
...
int len = todo > maxlen ? maxlen : todo;
memcpy(DATA(&fragment) + ether_size + ip_size, offset, len);
If dest->mtu is 0, signed int maxlen becomes -40 and is then passed as
unsigned size_t len into memcpy which then segfaults.
Elsewhere in the code, the mtu value is always wrapped in MAX(mtu, 590).
I applied the same to maxlen and see no more segfaults so far.
Is that the best fix? Why is dest->mtu 0 at this point?
Would it be useful to disable path MTU discovery? There should be no
unexpected MTU restrictions on the Internet paths between the nodes.
Thank you,
Werner
-------------- next part --------------
--- src/route.c.orig
+++ src/route.c
@@ -598,7 +598,7 @@
logger(DEBUG_TRAFFIC, LOG_INFO, "Fragmenting packet of %d bytes to %s
(%s)", packet->len, dest->name, dest->hostname);
offset = DATA(packet) + ether_size + ip_size;
- maxlen = (dest->mtu - ether_size - ip_size) & ~0x7;
+ maxlen = (MAX(dest->mtu, 590) - ether_size - ip_size) & ~0x7;
ip_off = ntohs(ip.ip_off);
origf = ip_off & ~IP_OFFMASK;
ip_off &= IP_OFFMASK;