From owner-svn-src-all@FreeBSD.ORG Thu Sep 25 05:18:13 2014 Return-Path: Delivered-To: svn-src-all@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 14B7363B; Thu, 25 Sep 2014 05:18:13 +0000 (UTC) Received: from cell.glebius.int.ru (glebius.int.ru [81.19.69.10]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "cell.glebius.int.ru", Issuer "cell.glebius.int.ru" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 84BC0B3; Thu, 25 Sep 2014 05:18:11 +0000 (UTC) Received: from cell.glebius.int.ru (localhost [127.0.0.1]) by cell.glebius.int.ru (8.14.9/8.14.9) with ESMTP id s8P5I8BF038677 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO); Thu, 25 Sep 2014 09:18:08 +0400 (MSK) (envelope-from glebius@FreeBSD.org) Received: (from glebius@localhost) by cell.glebius.int.ru (8.14.9/8.14.9/Submit) id s8P5I8Nc038676; Thu, 25 Sep 2014 09:18:08 +0400 (MSK) (envelope-from glebius@FreeBSD.org) X-Authentication-Warning: cell.glebius.int.ru: glebius set sender to glebius@FreeBSD.org using -f Date: Thu, 25 Sep 2014 09:18:08 +0400 From: Gleb Smirnoff To: Adrian Chadd Subject: Re: svn commit: r272089 - head/sys/netpfil/ipfw Message-ID: <20140925051808.GS884@FreeBSD.org> References: <201409250226.s8P2Q6AS055635@svn.freebsd.org> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.5.23 (2014-03-12) Cc: "svn-src-head@freebsd.org" , Sean Bruno , "src-committers@freebsd.org" , "svn-src-all@freebsd.org" X-BeenThere: svn-src-all@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: "SVN commit messages for the entire src tree \(except for " user" and " projects" \)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 25 Sep 2014 05:18:13 -0000 On Wed, Sep 24, 2014 at 07:40:23PM -0700, Adrian Chadd wrote: A> Hm, I saw this from Kate on IRC. Did anyone figure out _where_ these A> frames are coming from? A> A> Just dropping them is cool, but I'd really like to see the contents of A> the frames and what their origin is. A> A> I'm worried that they're valid stack-generated frames.. I agree on this. Fixing NULL pointer derefs with NULL check is not always a right thing to do. A> -a A> A> A> On 24 September 2014 19:26, Sean Bruno wrote: A> > Author: sbruno A> > Date: Thu Sep 25 02:26:05 2014 A> > New Revision: 272089 A> > URL: http://svnweb.freebsd.org/changeset/base/272089 A> > A> > Log: A> > Fix NULL pointer deref in ipfw when using dummynet at layer 2. A> > Drop packet if pkg->ifp is NULL, which is the case here. A> > A> > ref. https://github.com/HardenedBSD/hardenedBSD A> > commit 4eef3881c64f6e3aa38eebbeaf27a947a5d47dd7 A> > A> > PR 193861 -- DUMMYNET LAYER2: kernel panic A> > A> > in this case a kernel panic occurs. Hence, when we do not get an interface, A> > we just drop the packet in question. A> > A> > PR: 193681 A> > Submitted by: David Carlier A> > Obtained from: Hardened BSD A> > MFC after: 2 weeks A> > Relnotes: yes A> > A> > Modified: A> > head/sys/netpfil/ipfw/ip_dn_io.c A> > A> > Modified: head/sys/netpfil/ipfw/ip_dn_io.c A> > ============================================================================== A> > --- head/sys/netpfil/ipfw/ip_dn_io.c Wed Sep 24 22:58:10 2014 (r272088) A> > +++ head/sys/netpfil/ipfw/ip_dn_io.c Thu Sep 25 02:26:05 2014 (r272089) A> > @@ -751,10 +751,15 @@ dummynet_send(struct mbuf *m) A> > /* extract the dummynet info, rename the tag A> > * to carry reinject info. A> > */ A> > - dst = pkt->dn_dir; A> > - ifp = pkt->ifp; A> > - tag->m_tag_cookie = MTAG_IPFW_RULE; A> > - tag->m_tag_id = 0; A> > + if (pkt->dn_dir == (DIR_OUT | PROTO_LAYER2) && A> > + pkt->ifp == NULL) { A> > + dst = DIR_DROP; A> > + } else { A> > + dst = pkt->dn_dir; A> > + ifp = pkt->ifp; A> > + tag->m_tag_cookie = MTAG_IPFW_RULE; A> > + tag->m_tag_id = 0; A> > + } A> > } A> > A> > switch (dst) { A> > A> -- Totus tuus, Glebius.