From owner-freebsd-bugs Wed Nov 29 19:40: 7 2000 Delivered-To: freebsd-bugs@hub.freebsd.org Received: from freefall.freebsd.org (freefall.FreeBSD.org [216.136.204.21]) by hub.freebsd.org (Postfix) with ESMTP id 4335A37B402 for ; Wed, 29 Nov 2000 19:40:01 -0800 (PST) Received: (from gnats@localhost) by freefall.freebsd.org (8.11.1/8.11.1) id eAU3e1b19426; Wed, 29 Nov 2000 19:40:01 -0800 (PST) (envelope-from gnats) Received: from freefall.freebsd.org (freefall.FreeBSD.org [216.136.204.21]) by hub.freebsd.org (Postfix) with ESMTP id 9622F37B400 for ; Wed, 29 Nov 2000 19:34:49 -0800 (PST) Received: (from nobody@localhost) by freefall.freebsd.org (8.11.1/8.11.1) id eAU3Yna18739; Wed, 29 Nov 2000 19:34:49 -0800 (PST) (envelope-from nobody) Message-Id: <200011300334.eAU3Yna18739@freefall.freebsd.org> Date: Wed, 29 Nov 2000 19:34:49 -0800 (PST) From: ming@unixbox.com To: freebsd-gnats-submit@FreeBSD.org X-Send-Pr-Version: www-1.0 Subject: kern/23187: possible panic when ipfw is used on ICMP on 4.2-stable Sender: owner-freebsd-bugs@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org >Number: 23187 >Category: kern >Synopsis: possible panic when ipfw is used on ICMP on 4.2-stable >Confidential: no >Severity: serious >Priority: medium >Responsible: freebsd-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: sw-bug >Submitter-Id: current-users >Arrival-Date: Wed Nov 29 19:40:01 PST 2000 >Closed-Date: >Last-Modified: >Originator: Ming Zhang >Release: 4.2-stable >Organization: >Environment: FreeBSD bluerose.windmoon.nu 4.2-STABLE FreeBSD 4.2-STABLE #27: Tue Nov 28 23:21:47 PST 2000 fengyue@bluerose.windmoon.nu:/usr/src/sys/compile/bluerose i386 b >Description: the ofin struct passed into fr_makefrip() from ip_state.c is created on the local function stack and its fin_v member is not init'ed. fr_makefrip() checks fin_v to determine wether to execute IPV6 code or IPV4 code, however fin_v's value is undetermined and thus it's possible it may contain 6 while the packet (ip_t) is a IPV4 packet, and this may cause kernel to panic sometimes (Happened once to me already) >How-To-Repeat: tough to reproduce the crash but very easy to get fr_makefrip() to execute IPV6 code when dealing with IPV4 ICMP packets. Simply keep doing traceroute to some hosts on the net, evetually fin_v may contain the value 6 >Fix: change v = fin->fin_v; to v = fin->fin_v = ip->ip_v; the patch is at http://www.windmoon.nu/mypatch >Release-Note: >Audit-Trail: >Unformatted: To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-bugs" in the body of the message