From owner-freebsd-net@FreeBSD.ORG Thu Aug 25 21:09:46 2005 Return-Path: X-Original-To: freebsd-net@freebsd.org Delivered-To: freebsd-net@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 26F3816A41F for ; Thu, 25 Aug 2005 21:09:46 +0000 (GMT) (envelope-from andre@freebsd.org) Received: from c00l3r.networx.ch (c00l3r.networx.ch [62.48.2.2]) by mx1.FreeBSD.org (Postfix) with ESMTP id 6431B43D46 for ; Thu, 25 Aug 2005 21:09:45 +0000 (GMT) (envelope-from andre@freebsd.org) Received: (qmail 54938 invoked from network); 25 Aug 2005 20:48:35 -0000 Received: from unknown (HELO freebsd.org) ([62.48.0.53]) (envelope-sender ) by c00l3r.networx.ch (qmail-ldap-1.03) with SMTP for ; 25 Aug 2005 20:48:35 -0000 Message-ID: <430E339F.3BAEDB8D@freebsd.org> Date: Thu, 25 Aug 2005 23:09:51 +0200 From: Andre Oppermann X-Mailer: Mozilla 4.8 [en] (Windows NT 5.0; U) X-Accept-Language: en MIME-Version: 1.0 To: Max Laier References: <430E25A3.8080503@borderware.com> <200508252301.09736.max@love2party.net> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Cc: freebsd-net@freebsd.org, ming fu Subject: Re: FreeBSD 5 ip_gre and netisr_enable=1 X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 25 Aug 2005 21:09:46 -0000 Max Laier wrote: > > On Thursday 25 August 2005 22:10, ming fu wrote: > > Hi, > > > > This problem exit in some old gre.c (not a part of official freebsd) to > > handle wccp packets. A carefully crafted packet can cause it to deplete > > kernel stack and casuing a panic. It can crash a 4.2 kernel with about > > 200-300 repeated ip+gre header. > > > > I believe the problem appears on FreeBSD 5 with ip_gre() and > > net.isr.enable = 1. It probably easier to crash a 5.x because more calls > > are involved in FreeBSD 5 than 4.x, thus more stack can be consumed with > > the same repetition of headers. > > > > when a GRE packet gets into the ip_gre2(), its gre header is stripped > > and sent to netisr_dispatch() for ip_input() processing again. In case, > > the net.isr.enable is 1, the packet will be delivered to ip_input > > directly instead of put in the queue. > > > > If someone create a packet consists of repeated ip and gre header, > > > > ip hdr : gre hdr : ip hdr : gre hdr : ...... repeat a few > > hundred times. > > > > it can cause a loop around > > ip_gre->ip_gre2->netisr_dispatch->ip_input->ip_gre ..., not too > > difficult to deplete the kernel stack. > > > > It only takes 24 bytes to force the kernel to go one round through these > > calls. > > > > Any suggestion of how to fix this? > > > > send the gre stripped packet to netisr_queue() is an easy, albeit slow > > solution. > > > > I fix the older gre.c file by making sure the inner packet is not a GRE > > before deliver to ip_input. However, it was ugly to parse the inner > > header of in ip_gre2(). > > You could use an mbuf_tag to keep track of recursion in the same way it is > done in gif. There is certainly some overhead involved as well, however. Or set "m->m_pkthdr.rcvif = self" in gre_output() and in gre_input() check for (m->m_pkthdr.rcvif != self). -- Andre