Skip site navigation (1)Skip section navigation (2) 
Date:      Thu, 15 Apr 2010 23:15:55 GMT
From:      Peter Molnar <peter@molnar.cc>
To:        freebsd-gnats-submit@FreeBSD.org
Subject:   kern/145736: Access to freed mbuf in ip_forward with IPSEC enabled
Message-ID:  <201004152315.o3FNFtCe095952@www.freebsd.org>
Resent-Message-ID: <201004152320.o3FNK2hk091215@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help 

>Number:         145736
>Category:       kern
>Synopsis:       Access to freed mbuf in ip_forward with IPSEC enabled
>Confidential:   no
>Severity:       serious
>Priority:       low
>Responsible:    freebsd-bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Thu Apr 15 23:20:01 UTC 2010
>Closed-Date:
>Last-Modified:
>Originator:     Peter Molnar
>Release:        RELENG_7_0_0_RELEASE
>Organization:
>Environment:
>Description:
Test setup:

A FreeBSD machine acts as a router and is connected to a WAN and a LAN. The traffic routed into the WAN is IPSEC encrypted. The TCP traffic originating from a machine in the LAN does not fit the MTU on the WAN link and PMTU discovery comes to action.

Detailed problem description:

 * At some point the routed packet reaches ip_forward (sys/netinet/ip_input.c).
 * The packet is passed in the paramter m to the routine ip_output (sys/netinet/ip_output.c).
 * The packet does not fit the MTU, so EMSGSIZE is returned and the routine is exited via the label bad.
 * The mbuf m is freed using m_free.
 * Control flow returns to ip_forward.
 * ip_ipsec_mtu is called on the mbuf m.
>How-To-Repeat:

>Fix:


Patch attached with submission follows:

diff --git a/sys/netinet/ip_input.c b/sys/netinet/ip_input.c
index acd1e17..d296299 100644
--- a/sys/netinet/ip_input.c
+++ b/sys/netinet/ip_input.c
@@ -1403,7 +1403,7 @@ ip_forward(struct mbuf *m, int srcrt)
 		code = ICMP_UNREACH_NEEDFRAG;
 
 #ifdef IPSEC
-		mtu = ip_ipsec_mtu(m);
+		mtu = ip_ipsec_mtu(mcopy);
 #endif /* IPSEC */
 		/*
 		 * If the MTU wasn't set before use the interface mtu or


>Release-Note:
>Audit-Trail:
>Unformatted:

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201004152315.o3FNFtCe095952>