Date: Thu, 15 Apr 2010 23:15:55 GMT From: Peter Molnar <peter@molnar.cc> To: freebsd-gnats-submit@FreeBSD.org Subject: kern/145736: Access to freed mbuf in ip_forward with IPSEC enabled Message-ID: <201004152315.o3FNFtCe095952@www.freebsd.org> Resent-Message-ID: <201004152320.o3FNK2hk091215@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
>Number: 145736 >Category: kern >Synopsis: Access to freed mbuf in ip_forward with IPSEC enabled >Confidential: no >Severity: serious >Priority: low >Responsible: freebsd-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: sw-bug >Submitter-Id: current-users >Arrival-Date: Thu Apr 15 23:20:01 UTC 2010 >Closed-Date: >Last-Modified: >Originator: Peter Molnar >Release: RELENG_7_0_0_RELEASE >Organization: >Environment: >Description: Test setup: A FreeBSD machine acts as a router and is connected to a WAN and a LAN. The traffic routed into the WAN is IPSEC encrypted. The TCP traffic originating from a machine in the LAN does not fit the MTU on the WAN link and PMTU discovery comes to action. Detailed problem description: * At some point the routed packet reaches ip_forward (sys/netinet/ip_input.c). * The packet is passed in the paramter m to the routine ip_output (sys/netinet/ip_output.c). * The packet does not fit the MTU, so EMSGSIZE is returned and the routine is exited via the label bad. * The mbuf m is freed using m_free. * Control flow returns to ip_forward. * ip_ipsec_mtu is called on the mbuf m. >How-To-Repeat: >Fix: Patch attached with submission follows: diff --git a/sys/netinet/ip_input.c b/sys/netinet/ip_input.c index acd1e17..d296299 100644 --- a/sys/netinet/ip_input.c +++ b/sys/netinet/ip_input.c @@ -1403,7 +1403,7 @@ ip_forward(struct mbuf *m, int srcrt) code = ICMP_UNREACH_NEEDFRAG; #ifdef IPSEC - mtu = ip_ipsec_mtu(m); + mtu = ip_ipsec_mtu(mcopy); #endif /* IPSEC */ /* * If the MTU wasn't set before use the interface mtu or >Release-Note: >Audit-Trail: >Unformatted:
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201004152315.o3FNFtCe095952>