Hi community
I am experiencing an issue with PPP/TUN and reception of packets. The network
stack reports different decoding errors in the received packets e.g.:
[ 24.560000] [ WARN] ppp: ipv4_in: WARNING: IP packet shorter than length in
IP header
I can reproduce the issue by sending a number of packets (from my PC over PPP
to the TUN device in NuttX), which are all larger than can fit into one IOB
*and* which are ignored (e.g. unsupported protocol or IP destination) - i.e.
*not* triggering a response / TX packet. I then send a correct ICMP echo
request from my PC to NuttX, which causes the above error to be reported.
The following PC commands will trigger the error message. My PC has IP
172.29.4.1 and the NuttX ppp interface has 172.29.4.2. Note the first command
sends to the *wrong* IP address so that NuttX ignores the ICMP messages. The
second commands uses the IP of NuttX and should result in a response. I run the
test after a fresh boot and with no other network traffic to/from NuttX.
$ ping -I ppp0 -W 0.2 -i 0.2 -c 13 172.29.4.3 -s 156
$ ping -I ppp0 -W 0.2 -c 1 172.29.4.2 -s 0
If I skip the first command, ping works fine.
I think the issue is caused by the IOB management in the TUN device driver
(drivers/net/tun.c). I am new to NuttX, so I don't quite understand the correct
use of IOB, so I am just guessing here. I think that when a packet is received
by tun_write() and too large to fit into a single IOB *and* the packet is
ignored, the IOB chain "lingers" and is not freed. Subsequent packets received
by tun_write() does not end up in the beginning of the first IOB and the
IP/TCP/UDP header may then be split across IOB boundary. The network stack
assumes the protocol headers are not split across IOB boundaries, so the
network stack ends up reading outside the IOB io_data[] array boundaries
resulting in undefined behavior.
With CONFIG_IOB_DEBUG enabled, notice how the "avail" value decrease for each
ignored packet until the final/correct ICMP request (at time 24.540000) is
copied to the second IOB in the chain.
[ 10.060000] [ INFO] ppp0: iob_copyin_internal: iob=0x24002b20 len=184
offset=0
[ 10.060000] [ INFO] ppp0: iob_copyin_internal: iob=0x24002b20 avail=0
len=184 next=0
[ 10.060000] [ INFO] ppp0: iob_copyin_internal: iob=0x24002b20 Copy 182
bytes new len=182
[ 10.070000] [ INFO] ppp0: iob_copyin_internal: iob=0x24002b20 added to the
chain
[ 10.070000] [ INFO] ppp0: iob_copyin_internal: iob=0x24002a50 avail=0 len=2
next=0
[ 10.080000] [ INFO] ppp0: iob_copyin_internal: iob=0x24002a50 Copy 2 bytes
new len=2
[ 10.080000] [ INFO] ppp0: tun_net_receive_tun: IPv4 frame
[ 10.080000] [ INFO] ppp0: ipv4_in: WARNING: Not destined for us; not
forwardable... Dropping!
[ 10.260000] [ INFO] ppp0: iob_copyin_internal: iob=0x24002b20 len=184
offset=0
[ 10.260000] [ INFO] ppp0: iob_copyin_internal: iob=0x24002b20 avail=168
len=184 next=0x24002a50
[ 10.270000] [ INFO] ppp0: iob_copyin_internal: iob=0x24002b20 Copy 168
bytes new len=168
[ 10.270000] [ INFO] ppp0: iob_copyin_internal: iob=0x24002a50 avail=2
len=16 next=0
[ 10.280000] [ INFO] ppp0: iob_copyin_internal: iob=0x24002a50 Copy 16 bytes
new len=16
[ 10.280000] [ INFO] ppp0: tun_net_receive_tun: IPv4 frame
[ 10.280000] [ INFO] ppp0: ipv4_in: WARNING: Not destined for us; not
forwardable... Dropping!
[ 10.460000] [ INFO] ppp0: iob_copyin_internal: iob=0x24002b20 len=184
offset=0
[ 10.470000] [ INFO] ppp0: iob_copyin_internal: iob=0x24002b20 avail=154
len=184 next=0x24002a50
[ 10.470000] [ INFO] ppp0: iob_copyin_internal: iob=0x24002b20 Copy 154
bytes new len=154
[ 10.480000] [ INFO] ppp0: iob_copyin_internal: iob=0x24002a50 avail=16
len=30 next=0
[ 10.480000] [ INFO] ppp0: iob_copyin_internal: iob=0x24002a50 Copy 30 bytes
new len=30
[ 10.480000] [ INFO] ppp0: tun_net_receive_tun: IPv4 frame
[ 10.490000] [ INFO] ppp0: ipv4_in: WARNING: Not destined for us; not
forwardable... Dropping!
...
[ 12.500000] [ INFO] ppp0: iob_copyin_internal: iob=0x24002b20 len=184
offset=0
[ 12.510000] [ INFO] ppp0: iob_copyin_internal: iob=0x24002b20 avail=14
len=184 next=0x24002a50
[ 12.510000] [ INFO] ppp0: iob_copyin_internal: iob=0x24002b20 Copy 14 bytes
new len=14
[ 12.520000] [ INFO] ppp0: iob_copyin_internal: iob=0x24002a50 avail=156
len=170 next=0
[ 12.520000] [ INFO] ppp0: iob_copyin_internal: iob=0x24002a50 Copy 170
bytes new len=170
[ 12.520000] [ INFO] ppp0: tun_net_receive_tun: IPv4 frame
[ 12.530000] [ INFO] ppp0: ipv4_in: WARNING: Not destined for us; not
forwardable... Dropping!
[ 24.540000] [ INFO] ppp0: iob_copyin_internal: iob=0x24002b20 len=28
offset=0
[ 24.540000] [ INFO] ppp0: iob_copyin_internal: iob=0x24002b20 avail=0
len=28 next=0x24002a50
[ 24.550000] [ INFO] ppp0: iob_copyin_internal: iob=0x24002b20 Copy 0 bytes
new len=0
[ 24.550000] [ INFO] ppp0: iob_copyin_internal: iob=0x24002a50 avail=170
len=28 next=0
[ 24.550000] [ INFO] ppp0: iob_copyin_internal: iob=0x24002a50 Copy 28 bytes
new len=170
[ 24.560000] [ INFO] ppp0: tun_net_receive_tun: IPv4 frame
[ 24.560000] [ WARN] ppp0: ipv4_in: WARNING: IP packet shorter than length
in IP header
Im an running NuttX on a proprietary board with an STM32H723. Some of my
configs, which may be relevant:
CONFIG_MM_IOB=y
CONFIG_IOB_NBUFFERS=24
CONFIG_IOB_BUFSIZE=196
CONFIG_IOB_ALIGNMENT=4
CONFIG_IOB_SECTION=""
CONFIG_IOB_NCHAINS=24
CONFIG_IOB_THROTTLE=0
CONFIG_IOB_DEBUG=y
CONFIG_NET_TUN=y
CONFIG_TUN_NINTERFACES=2
CONFIG_NET_TUN_PKTSIZE=296
CONFIG_NETDEV_LATEINIT=y
The following patch seems to fix the issue, but I have no idea whether it is
the right approach.
diff --git a/drivers/net/tun.c b/drivers/net/tun.c
index f77ef7583d..5f6119b624 100644
--- a/drivers/net/tun.c
+++ b/drivers/net/tun.c
@@ -599,6 +599,10 @@ static void tun_net_receive_tun(FAR struct tun_device_s
*priv)
netdev_iob_clear(dev);
tun_fd_transmit(priv);
}
+ else
+ {
+ netdev_iob_release(dev);
+ }
}
/****************************************************************************
I assume that same issue exists for tun_net_receive_tap() too, and that the
same fix should be applied there (i can't test/verify this scenario).
Best regards
Kian
