Date: Wed, 29 Nov 2000 19:34:49 -0800 (PST) From: ming@unixbox.com To: freebsd-gnats-submit@FreeBSD.org Subject: kern/23187: possible panic when ipfw is used on ICMP on 4.2-stable Message-ID: <200011300334.eAU3Yna18739@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
>Number: 23187 >Category: kern >Synopsis: possible panic when ipfw is used on ICMP on 4.2-stable >Confidential: no >Severity: serious >Priority: medium >Responsible: freebsd-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: sw-bug >Submitter-Id: current-users >Arrival-Date: Wed Nov 29 19:40:01 PST 2000 >Closed-Date: >Last-Modified: >Originator: Ming Zhang >Release: 4.2-stable >Organization: >Environment: FreeBSD bluerose.windmoon.nu 4.2-STABLE FreeBSD 4.2-STABLE #27: Tue Nov 28 23:21:47 PST 2000 fengyue@bluerose.windmoon.nu:/usr/src/sys/compile/bluerose i386 b >Description: the ofin struct passed into fr_makefrip() from ip_state.c is created on the local function stack and its fin_v member is not init'ed. fr_makefrip() checks fin_v to determine wether to execute IPV6 code or IPV4 code, however fin_v's value is undetermined and thus it's possible it may contain 6 while the packet (ip_t) is a IPV4 packet, and this may cause kernel to panic sometimes (Happened once to me already) >How-To-Repeat: tough to reproduce the crash but very easy to get fr_makefrip() to execute IPV6 code when dealing with IPV4 ICMP packets. Simply keep doing traceroute to some hosts on the net, evetually fin_v may contain the value 6 >Fix: change v = fin->fin_v; to v = fin->fin_v = ip->ip_v; the patch is at http://www.windmoon.nu/mypatch >Release-Note: >Audit-Trail: >Unformatted: To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-bugs" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200011300334.eAU3Yna18739>