Skip site navigation (1)Skip section navigation (2) 
Date:      Wed, 27 Jan 99 14:28:17 +0000 (GMT)
From:      dwmalone@maths.tcd.ie
To:        FreeBSD-gnats-submit@FreeBSD.ORG
Subject:   kern/9723: icmp_reflect doesn't clear m->m_pkthdr.rcvif
Message-ID:  <9901271428.aa56319@gosset.maths.tcd.ie>
next in thread | raw e-mail | index | archive | help 

>Number:         9723
>Category:       kern
>Synopsis:       icmp_reflect doesn't clear m->m_pkthdr.rcvif
>Confidential:   no
>Severity:       non-critical
>Priority:       low
>Responsible:    freebsd-bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Wed Jan 27 06:30:01 PST 1999
>Closed-Date:
>Last-Modified:
>Originator:     David Malone
>Release:        FreeBSD 2.2.8-STABLE
>Organization:
School of Maths, Trinity College, Dublin.
>Environment:

Using ipfw and gatewaying in 2.2.8-STABLE as of last week some time.
Problem looks like it is present in 3.0/4.0 too.

>Description:

When the icmp code uses icmp_reflect to reply to a packet it rewrites
the original packet and then sends that. Unfortunately is does not clear
m->m_pkthdr.rcvif after using it, so the outgoing packet looks like it
has been recieved on some interface.

This is a problem if you have a firewall rule which then filters stuff on
the recieved packet. It looks like the same problem is present in current.

>How-To-Repeat:

Suppose you have a machine with de0 with address 10.0.0.1 and you have the
firewall rules:

	deny ip from 10.0.0.1 to any recv de0
	allow ip from any to any

Pings from interface de0 will not be replied to, as the outgoing reply will
match the first rule.

>Fix:

You can work around this by only filtering on incoming packets. I think it
would be correct to add a clearing of m->m_pkthdr.rcvif toward the end of
icmp_reflect. Something like the following seems to work on 2.2.8-STABLE,
and looks like it would work on 3.0/4.0 too.

--- ip_icmp.c.orig	Wed Jan 27 14:16:14 1999
+++ ip_icmp.c	Wed Jan 27 14:19:38 1999
@@ -613,6 +613,7 @@
 		bcopy((caddr_t)ip + optlen, (caddr_t)(ip + 1),
 			 (unsigned)(m->m_len - sizeof(struct ip)));
 	}
+	m->m_pkthdr.rcvif = (struct ifnet *)0;
 	m->m_flags &= ~(M_BCAST|M_MCAST);
 	icmp_send(m, opts);
 done:
>Release-Note:
>Audit-Trail:
>Unformatted:

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-bugs" in the body of the message

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?9901271428.aa56319>