Skip site navigation (1)Skip section navigation (2) 
Date:      Tue, 23 Nov 2010 16:21:35 +0800
From:      Adrian Chadd <adrian.chadd@gmail.com>
To:        FreeBSD Net <freebsd-net@freebsd.org>
Cc:        Luigi Rizzo <rizzo@iet.unipi.it>
Subject:   Re: ipfw and bridge: unaligned payload pointers panicing perfectly performing MIPS boxes
Message-ID:  <AANLkTikrfWi9LgX8qKD85o6NTZo89iZF1QsQpLnHgAsU@mail.gmail.com>
In-Reply-To: <AANLkTi=qr1-m%2Bq=QMFNAMjM_i_wPgNXsPQ%2B6rfN_tc2L@mail.gmail.com>
References:  <AANLkTi=qr1-m%2Bq=QMFNAMjM_i_wPgNXsPQ%2B6rfN_tc2L@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help 
Hi again,

bz and I have done a bit of sleuthing. There's a few problems!

Firstly - bridge_pfil() in sys/net/if_bridge.c calls a couple of
functions to check the validity and alignment of ipv4/ipv6 packets
(ie, bridge_ip_checkbasic() and bridge_ip6_checkbasic().) But
bridge_ip6_checkbasic() is only called if the kernel is compiled with
INET6. This MIPS platform I'm working on currently doesn't have INET6
compiled in, so:

* IPv6 packet arrives in if_bridge
* It doesn't get passed to bridge_ip6_checkbasic()
* It gets punted to ipfw_chk()  (I have net.link.bridge.ipfw set to 1)
* ipfw_chk() sees the ethertype being IPv6 so it does the check
whether the IP header version is IPv6 = but at that stage (struct ip
*) ip is unaligned and an exception occurs.

The fix - compile in INET6. :-/ I'd like to not rely on that though!

Secondly - other misaligned packets were sneaking in. That's fine for
now - the payload shouldn't be being fondled. But the ethertype was
garbage. What bz and I found is that it's a SNAP packet (the ethertype
being 0x001b) and although if_bridge.c::bridge_pfil() strips the SNAP
header from the mbuf, the copy of the ethernet header it passes to
ipfw_chk() still has the old ethertype set.

Suggestion - when stripping off the SNAP header, set eh2.ether_type to
the "correct" ether type, rather than the SNAP length field.

2c,


Adrian



Adrian

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?AANLkTikrfWi9LgX8qKD85o6NTZo89iZF1QsQpLnHgAsU>