weird code (bug?) in IP options handling

From: Nadav Har'El (
Date: Thu Sep 19 2002 - 10:28:01 EST

While browsing the ip-options setting code in Linux 2.4-18, I came across
the following peculiar code in net/ipv4/ip_options.c in ip_options_compile.
The code is apparently used when a setsockopt(fd, SOL_IP, IP_OPTIONS,...)
is called and one of the options is IPOPT_END (0):

        for (l = opt->optlen; l > 0; ) {
                switch (*optptr) {
                      case IPOPT_END:
                        for (optptr++, l--; l>0; l--) {
                                if (*optptr != IPOPT_END) {
                                        *optptr = IPOPT_END;
                                        opt->is_changed = 1;
                        goto eol;

I am *guessing* that this piece of code was meant to zero (assign as
IPOPT_END) all option bytes after the first IPOPT_END. However, this is
not what actually happens in this code. In this code, only a single
byte after the first IPOPT_END (optptr++) is zeroed, and this same
assignment is done many times in a loop! This can't have been intended :)

I am guessing that this is just a programming error, and the programmer
perhaps intended to make the assignment in the inner for loop as

        *optptr = IPOPT_END;

Who's in charge for this code and can perhaps take a look at it?

By the way, I wonder: why zero the options at all? Why not simply leave
all option bytes after the first IPOPT_END as-is?

Nadav Har'El                        |    Thursday, Sep 19 2002, 14 Tishri 5763             |-----------------------------------------
Phone: +972-53-245868, ICQ 13349191 |If you tell the truth, you don't have to           |remember anything.
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to
More majordomo info at
Please read the FAQ at

This archive was generated by hypermail 2b29 : Mon Sep 23 2002 - 22:00:26 EST