Date: Wed, 24 Sep 2014 19:40:23 -0700 From: Adrian Chadd <adrian@freebsd.org> To: Sean Bruno <sbruno@freebsd.org> Cc: "svn-src-head@freebsd.org" <svn-src-head@freebsd.org>, "svn-src-all@freebsd.org" <svn-src-all@freebsd.org>, "src-committers@freebsd.org" <src-committers@freebsd.org> Subject: Re: svn commit: r272089 - head/sys/netpfil/ipfw Message-ID: <CAJ-VmomsRHxiUtDw8FpP=ZGcE136dBLpDyzcpnRVbVFyk0Jmnw@mail.gmail.com> In-Reply-To: <201409250226.s8P2Q6AS055635@svn.freebsd.org> References: <201409250226.s8P2Q6AS055635@svn.freebsd.org>
next in thread | previous in thread | raw e-mail | index | archive | help
Hm, I saw this from Kate on IRC. Did anyone figure out _where_ these frames are coming from? Just dropping them is cool, but I'd really like to see the contents of the frames and what their origin is. I'm worried that they're valid stack-generated frames.. -a On 24 September 2014 19:26, Sean Bruno <sbruno@freebsd.org> wrote: > Author: sbruno > Date: Thu Sep 25 02:26:05 2014 > New Revision: 272089 > URL: http://svnweb.freebsd.org/changeset/base/272089 > > Log: > Fix NULL pointer deref in ipfw when using dummynet at layer 2. > Drop packet if pkg->ifp is NULL, which is the case here. > > ref. https://github.com/HardenedBSD/hardenedBSD > commit 4eef3881c64f6e3aa38eebbeaf27a947a5d47dd7 > > PR 193861 -- DUMMYNET LAYER2: kernel panic > > in this case a kernel panic occurs. Hence, when we do not get an interface, > we just drop the packet in question. > > PR: 193681 > Submitted by: David Carlier <david.carlier@hardenedbsd.org> > Obtained from: Hardened BSD > MFC after: 2 weeks > Relnotes: yes > > Modified: > head/sys/netpfil/ipfw/ip_dn_io.c > > Modified: head/sys/netpfil/ipfw/ip_dn_io.c > ============================================================================== > --- head/sys/netpfil/ipfw/ip_dn_io.c Wed Sep 24 22:58:10 2014 (r272088) > +++ head/sys/netpfil/ipfw/ip_dn_io.c Thu Sep 25 02:26:05 2014 (r272089) > @@ -751,10 +751,15 @@ dummynet_send(struct mbuf *m) > /* extract the dummynet info, rename the tag > * to carry reinject info. > */ > - dst = pkt->dn_dir; > - ifp = pkt->ifp; > - tag->m_tag_cookie = MTAG_IPFW_RULE; > - tag->m_tag_id = 0; > + if (pkt->dn_dir == (DIR_OUT | PROTO_LAYER2) && > + pkt->ifp == NULL) { > + dst = DIR_DROP; > + } else { > + dst = pkt->dn_dir; > + ifp = pkt->ifp; > + tag->m_tag_cookie = MTAG_IPFW_RULE; > + tag->m_tag_id = 0; > + } > } > > switch (dst) { >
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CAJ-VmomsRHxiUtDw8FpP=ZGcE136dBLpDyzcpnRVbVFyk0Jmnw>