[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
kernel/1541: ipf fastroute makes kernel panic.
- To: gnats@openbsd.org
- Subject: kernel/1541: ipf fastroute makes kernel panic.
- From: Hiroki Nakano <cas@trans-nt.com>
- Date: Mon, 04 Dec 2000 00:20:17 +0900
- Resent-Date: Sun, 3 Dec 2000 08:20:02 -0700 (MST)
- Resent-From: gnats@cvs.openbsd.org (GNATS Management)
- Resent-Message-Id: <200012031520.eB3FK2C31152@cvs.openbsd.org>
- Resent-Reply-To: gnats@cvs.openbsd.org,Received: "from openbsd.cs.colorado.edu (openbsd.cs.colorado.edu [128.138.192.83]) by cvs.openbsd.org (8.10.1/8.10.1) with ESMTP id eB3FJWD16698 for" <gnats@cvs.openbsd.org>;,Sun@naughty.monkey.org, 3@naughty.monkey.org, Dec@naughty.monkey.org,2000@naughty.monkey.org, 08:19:33.-0700@cvs.openbsd.org (MST)
- Resent-Sender: owner-bugs@openbsd.org
- Resent-To: bugs@cvs.openbsd.org
>Number: 1541
>Category: kernel
>Synopsis: kernel panic when using 'fastroute' in ipf rule
>Confidential: no
>Severity: critical
>Priority: high
>Responsible: bugs
>State: open
>Class: sw-bug
>Submitter-Id: net
>Arrival-Date: Sun Dec 3 08:20:01 MST 2000
>Last-Modified:
>Originator: Hiroki Nakano
>Organization:
net
>Release: 2.8
>Environment:
<machine, os, target, libraries (multiple lines)>
System : OpenBSD 2.8
Architecture: OpenBSD.i386
Machine : i386
>Description:
When you specify 'fastroute' in a ipf rule set and
a packet is matched, fr_check() function of ip filter
forwards the packet and sets a pointer to mbuf in the
argument list zero, but ip_input() and ip_output()
don't care such a case, touch *(0) and then panic...
>How-To-Repeat:
Do :
# echo 'pass out on lo0 to lo1 from any to any' | ipf -f - -E
and then
# ping 127.0.0.1
you can see kernel panic...
>Fix:
*** sys/netinet/ip_input.c.orig Fri Oct 13 11:01:10 2000
--- sys/netinet/ip_input.c Sun Dec 3 13:10:34 2000
***************
*** 420,425 ****
--- 420,432 ----
#endif /* IPSEC */
return;
}
+ if (m0 == 0) { /* in case of 'fastroute' */
+ #ifdef IPSEC
+ if (tdbi)
+ free(tdbi, M_TEMP);
+ #endif /* IPSEC */
+ return;
+ }
ip = mtod(m = m0, struct ip *);
}
#endif
*** sys/netinet/ip_output.c.orig Thu Oct 26 07:40:40 2000
--- sys/netinet/ip_output.c Sun Dec 3 13:14:59 2000
***************
*** 557,572 ****
error = EHOSTUNREACH;
splx(s);
goto done;
- } else {
- ip = mtod(m = m0, struct ip *);
- hlen = ip->ip_hl << 2;
}
}
#endif /* IPFILTER */
tdb = gettdb(sspi, &sdst, sproto);
if (tdb == NULL) {
error = EHOSTUNREACH;
m_freem(m);
goto done;
}
--- 557,577 ----
error = EHOSTUNREACH;
splx(s);
goto done;
}
+ if (m0 == 0) { /* in case of 'fastroute' */
+ error = 0;
+ splx(s);
+ goto done;
+ }
+ ip = mtod(m = m0, struct ip *);
+ hlen = ip->ip_hl << 2;
}
#endif /* IPFILTER */
tdb = gettdb(sspi, &sdst, sproto);
if (tdb == NULL) {
error = EHOSTUNREACH;
+ splx(s);
m_freem(m);
goto done;
}
***************
*** 597,604 ****
if (fr_checkp && (*fr_checkp)(ip, hlen, ifp, 1, &m0)) {
error = EHOSTUNREACH;
goto done;
! } else
! ip = mtod(m = m0, struct ip *);
}
#endif
/*
--- 602,613 ----
if (fr_checkp && (*fr_checkp)(ip, hlen, ifp, 1, &m0)) {
error = EHOSTUNREACH;
goto done;
! }
! if (m0 == 0) { /* in case of 'fastroute' */
! error = 0;
! goto done;
! }
! ip = mtod(m = m0, struct ip *);
}
#endif
/*
>Audit-Trail:
>Unformatted: