Re: [syzbot] [net?] WARNING in __ip6_append_data
From: David Howells
Date: Fri Sep 15 2023 - 11:33:28 EST
Hi Eric,
> > WARNING: CPU: 1 PID: 5042 at net/ipv6/ip6_output.c:1800 __ip6_append_data.isra.0+0x1be8/0x47f0 net/ipv6/ip6_output.c:1800
That would appear to be this:
if (WARN_ON_ONCE(copy > msg->msg_iter.count))
goto error;
However, I have a problem that the repro program errors out at this point
before it gets that far:
if (cork->length + length > maxnonfragsize - headersize) {
emsgsize:
pmtu = max_t(int, mtu - headersize + sizeof(struct ipv6hdr), 0);
ipv6_local_error(sk, EMSGSIZE, fl6, pmtu);
return -EMSGSIZE;
}
Are you able to reproduce the issue?
The values in and around that point are:
cork->length 0
length 65540
maxnonfragsize 65575
headersize 40
transhdrlen 4
mtu 65536
ip6_sk_ignore_df(sk) true
with maxnonfragsize coming from 'sizeof(struct ipv6hdr) + IPV6_MAXPLEN'. Is
that even viable for the size of a packet?
David