Date: Mon, 18 Sep 2000 11:56:43 -0300 From: Fred Souza <cseg@kronus.com.br> To: security@freebsd.org Subject: Panic when receiving packets with invalid versions Message-ID: <20000918115643.A470@torment.secfreak.com>
next in thread | raw e-mail | index | archive | help
Hi all, I was just playing around with ISIC <http://expert.cc.purdue.edu/~frantzen/>; and noticed something strange on FreeBSD's IP stack (my system is 4.1-STABLE, built with the source-tree of 09/10). It seems, the system cannot handle a certain ammount of packets built with invalid IP version numbers, and will reboot after a short period of time. My first attempt was: torment:ttyv0:~# isic -D -s rand -d 192.168.0.1 -r rand Using random source IP's Compiled against Libnet 1.0.1b Installing Signal Handlers. Seeding with 0 No Maximum traffic limiter Bad IP Version = 10% Odd IP Header Length = 50% Frag'd P cnt = 30% 138.156.122.75 -> 192.168.0.1 tos[57] id[0] ver[4] frag[0] 49.225.236.60 -> 192.168.0.1 tos[236] id[1] ver[4] frag[0] Then.. Fatal trap 12: page fault while in kernel mode fault virtual address = 0x0 fault code = supervisor read, page not present instruction pointer = 0x8:0xc0190b43 stack pointer = 0x10:0xc644acc0 frame pointer = 0x10:0xc644acec code segment = base 0x0, limit 0xfffff, type 0x1b = DPL 0, pres 1, def32 1, gran 1 processor eflags = interrupt enabled, resume, IOPL = 0 current process = 238 (isic) interrupt mask = trap number = 12 panic: page fault By this time, I wasn't sure if the fault occurred due to outgoing invalid packets, or the incoming ones. Then, after the reboot, I tried: torment:ttyv2:~# isic -D -s rand -d 192.168.0.1 -r rand -V0 Using random source IP's Compiled against Libnet 1.0.1b Installing Signal Handlers. Seeding with 0 No Maximum traffic limiter Bad IP Version = 0% Odd IP Header Length = 50% Frag'd P cnt = 30% 138.156.122.75 -> 192.168.0.1 tos[57] id[0] ver[4] frag[0] 49.225.236.60 -> 192.168.0.1 tos[236] id[1] ver[4] frag[0] 186.159.114.116 -> 192.168.0.1 tos[41] id[2] ver[4] frag[0] 110.39.117.87 -> 192.168.0.1 tos[4] id[3] ver[4] frag[35696] 144.254.169.98 -> 192.168.0.1 tos[182] id[4] ver[4] frag[45378] [Lots of packets] And no page faults this time. Yet, I tried sending the invalid packets to another host, and again, everything went just fine. This way, I was sure the problem is about incoming invalid packets (or am I wrong about that?). I tried again sending invalid packets to myself, to ensure the first time wasn't "environment trash" just after the reboot, and the same happened. The next step I tried, was to fix it. But due to my limited ability to change kernel code, I couldn't. I'm leaving this to the magicians, real kernel hackers to fix, if there's anything to fix at all (I'm still considering the possibility of this just being *my* fault. I've had the same kind of page faults a few weeks ago with pppd.) :-) As far as I can tell, ip_input.c's ip_input() function checks the ip_v field of each packet and compares to IPVERSION (4). If it doesn't match, the code jumps to the label "bad", where if IPFIREWALL_FORWARD is active, it sets ip_fw_fwd_addr to NULL, and discards the buffer of the incoming packet. Looks just right to me, and that's why I couldn't figure out how to fix this problem. Can anybody else reproduce this kind of error, or should I smash my head against the wall and try to solve this by myself on my box? Peace, .cseg -- "The most difficult thing in the world is to know how to do a thing and to watch someone else do it wrong without comment." -- Theodore H. White To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20000918115643.A470>