From owner-freebsd-hackers Thu Dec 18 20:10:15 1997 Return-Path: Received: (from root@localhost) by hub.freebsd.org (8.8.7/8.8.7) id UAA19228 for hackers-outgoing; Thu, 18 Dec 1997 20:10:15 -0800 (PST) (envelope-from owner-freebsd-hackers) Received: from alpo.whistle.com (alpo.whistle.com [207.76.204.38]) by hub.freebsd.org (8.8.7/8.8.7) with ESMTP id UAA19216 for ; Thu, 18 Dec 1997 20:10:08 -0800 (PST) (envelope-from julian@whistle.com) Received: (from daemon@localhost) by alpo.whistle.com (8.8.5/8.8.5) id UAA25320 for ; Thu, 18 Dec 1997 20:06:04 -0800 (PST) Received: from UNKNOWN(), claiming to be "current1.whistle.com" via SMTP by alpo.whistle.com, id smtpd025307; Thu Dec 18 20:05:59 1997 Message-ID: <3499F202.794BDF32@whistle.com> Date: Thu, 18 Dec 1997 20:03:14 -0800 From: Julian Elischer Organization: Whistle Communications X-Mailer: Mozilla 3.0Gold (X11; I; FreeBSD 2.2-CURRENT i386) MIME-Version: 1.0 To: hackers@freebsd.org Subject: ipfw fix Content-Type: multipart/mixed; boundary="------------1CFBAE3959E2B60015FB7483" Sender: owner-freebsd-hackers@freebsd.org X-Loop: FreeBSD.org Precedence: bulk This is a multi-part message in MIME format. --------------1CFBAE3959E2B60015FB7483 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit If you use ipfw and the "reset tcp" option, you may want to apply the following patch. In fact you may want to do it if you MIGHT in the future do that. stops random kernel panics due to kernel stack overwrites. this fix is valid for 2.2.5 and 3.0 It has just been checked in.. --------------1CFBAE3959E2B60015FB7483 Content-Type: text/plain; charset=us-ascii; name="knarlybugfix.patch" Content-Transfer-Encoding: 7bit Content-Disposition: inline; filename="knarlybugfix.patch" *** netinet/ip_fw.c 1997/11/22 13:00:48 1.51.2.6 --- new/netinet/ip_fw.c 1997/12/19 02:54:54 *************** *** 576,598 **** { struct tcphdr *const tcp = (struct tcphdr *) ((u_long *)ip + ip->ip_hl); ! struct tcpiphdr ti; if (offset != 0 || (tcp->th_flags & TH_RST)) break; ti.ti_i = *((struct ipovly *) ip); ti.ti_t = *tcp; ! NTOHL(ti.ti_seq); ! NTOHL(ti.ti_ack); ! ti.ti_len = ip->ip_len - hlen - (ti.ti_off << 2); if (tcp->th_flags & TH_ACK) { ! tcp_respond(NULL, &ti, *m, (tcp_seq)0, ntohl(tcp->th_ack), TH_RST); } else { if (tcp->th_flags & TH_SYN) ! ti.ti_len++; ! tcp_respond(NULL, &ti, *m, ti.ti_seq ! + ti.ti_len, (tcp_seq)0, TH_RST|TH_ACK); } *m = NULL; break; --- 576,599 ---- { struct tcphdr *const tcp = (struct tcphdr *) ((u_long *)ip + ip->ip_hl); ! struct tcpiphdr ti, *const tip = (struct tcpiphdr *) ip; if (offset != 0 || (tcp->th_flags & TH_RST)) break; ti.ti_i = *((struct ipovly *) ip); ti.ti_t = *tcp; ! bcopy(&ti, ip, sizeof(ti)); ! NTOHL(tip->ti_seq); ! NTOHL(tip->ti_ack); ! tip->ti_len = ip->ip_len - hlen - (tip->ti_off << 2); if (tcp->th_flags & TH_ACK) { ! tcp_respond(NULL, tip, *m, (tcp_seq)0, ntohl(tcp->th_ack), TH_RST); } else { if (tcp->th_flags & TH_SYN) ! tip->ti_len++; ! tcp_respond(NULL, tip, *m, tip->ti_seq ! + tip->ti_len, (tcp_seq)0, TH_RST|TH_ACK); } *m = NULL; break; *** netinet/tcp_subr.c 1997/09/30 16:25:11 1.31.2.3 --- new/netinet/tcp_subr.c 1997/12/19 03:01:16 *************** *** 168,173 **** --- 168,175 ---- * * In any case the ack and sequence number of the transmitted * segment are as specified by the parameters. + * + * NOTE: If m != NULL, then ti must point to *inside* the mbuf. */ void tcp_respond(tp, ti, m, ack, seq, flags) --------------1CFBAE3959E2B60015FB7483--