Date: Thu, 14 Feb 2002 19:02:33 +0100 (CET) From: <kurnik@kurnik.pl> To: Ruslan Ermilov <ru@FreeBSD.ORG> Cc: Maxime Henrion <mux@sneakerz.org>, freebsd-security@FreeBSD.ORG, "Jacques A. Vidrine" <nectar@FreeBSD.ORG> Subject: Re: FreeBSD 4.5 syncache problem Message-ID: <Pine.LNX.4.21.0202141856260.15020-100000@polchat.pl> In-Reply-To: <20020214181527.B92824@sunbay.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Thu, 14 Feb 2002, Ruslan Ermilov wrote:
> On Thu, Feb 14, 2002 at 10:04:33AM -0600, Maxime Henrion wrote:
> > Jacques A. Vidrine (nectar@FreeBSD.org) wrote:
> > > On Thu, Feb 14, 2002 at 07:37:07AM -0600, Maxime Henrion wrote:
> > > > Maxime Henrion (mux@sneakerz.org) wrote:
> > > > > kurnik@kurnik.pl (kurnik@kurnik.pl) wrote:
> > > > > > Hi!
> > > > > >
> > > > > > I'd like to migrate my Linux powered server to FreeBSD 4.5 but there's
> > > > > > a critical syncache related bug that makes it easy to remotely cause
> > > > > > kernel panic on any server running FreeBSD 4.5.
> > > > > > (more on this bug at www.freebsd.org/cgi/query-pr.cgi?pr=kern/34658)
> > > > >
> > > > > Could you probide a way to reliable reproduce it ? I'm sure this would
> > > > > help a lot getting this bug fixed, since it's not mentioned in the PR.
> > > >
> > > > Please discard my mail, it really looks like this is fixed in rev1.11 of
> > > > tcp_syncache.c.
> > >
> > > Hello Maxime,
> > >
> > > Can you confirm:
> > > After applying rev 1.11 of tcp_syncache.c to your 4.5-RELEASE system,
> > > your issue was resolved?
> > >
> > > I'd like to MFC this revision, but I wanted to be sure that it worked
> > > for you on a real system.
> >
> > Sorry for the confusion, but I was replying to myself here :-) The person
> > who experienced the syncache panic is kurnik@kurnik.pl.
> >
> I think just MFC'ing this revision might not fix the problem.
> Jonathan posted a patch along these lines (the second hunk):
>
> Index: tcp_syncache.c
> ===================================================================
> RCS file: /home/ncvs/src/sys/netinet/tcp_syncache.c,v
> retrieving revision 1.5.2.4
> diff -u -p -r1.5.2.4 tcp_syncache.c
> --- tcp_syncache.c 2002/01/24 16:09:08 1.5.2.4
> +++ tcp_syncache.c 2002/02/14 16:14:10
> @@ -839,6 +839,11 @@ syncache_add(inc, to, th, sop, m)
> */
> if (sc->sc_flags & SCF_TIMESTAMP)
> sc->sc_tsrecent = to->to_tsval;
> + /*
> + * PCB may have changed, pick up new values.
> + */
> + sc->sc_tp = tp;
> + sc->sc_inp_gencnt = tp->t_inpcb->inp_gencnt;
> if (syncache_respond(sc, m) == 0) {
> s = splnet();
> TAILQ_REMOVE(&tcp_syncache.timerq[sc->sc_rxtslot],
> @@ -1314,6 +1319,7 @@ syncookie_lookup(inc, th, so)
> * Fill in the syncache values.
> * XXX duplicate code from syncache_add
> */
> + sc->sc_tp = sototcpcb(so);
> sc->sc_ipopts = NULL;
> sc->sc_inc.inc_fport = inc->inc_fport;
> sc->sc_inc.inc_lport = inc->inc_lport;
I've got a patch from the guy who submitted this bug (Alan Judge) but it
(the patch) only added one line of code [ sc->sc_tp = sototcpcb(so) ] to
tcp_syncache.c and it solved the problem for me.
I'll try the above patch and the one posted later and if something goes
wrong, I'll tell you (otherwise assume everything went OK)
cheers,
Marek Futrega
--
KURNIK! -- gry sieciowe warte swieczki :)
http://www.kurnik.pl/
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.LNX.4.21.0202141856260.15020-100000>