Date: Mon, 19 Feb 2001 14:25:50 Gmt +0200 From: idobarnea@NewMail.Net To: hackers@freebsd.org Cc: andrew@cnsec.co.za Subject: Bug in creating ICMP error messages in FreeBSD4.2 Message-ID: <3a912cee.150.0@NewMail.Net>
next in thread | raw e-mail | index | archive | help
Hi,
I encountered the following problem in the 4.2 version.
In ip_forward, the following lines intend to save the mbuf in case we want to
send ICMP error later:
mcopy = m_copy(m, 0, imin((int)ip->ip_len, 64));
if (mcopy && (mcopy->m_flags & M_EXT))
m_copydata(mcopy, 0, sizeof(struct ip), mtod(mcopy, caddr_t));
Later on, before sending the ICMP packet we do:
if (mcopy->m_flags & M_EXT)
m_copyback(mcopy, 0, sizeof(struct ip), mtod(mcopy, caddr_t));
The problem as I understand it is that the m_copydata and m_copyback, actually
do nothing (It just
copies from mcopy to itself).
When bombing the kernel with lots (enough to make it issue an ICMP error) of
ip packets with length
256 (which is 1 if reversing the byte order), the icmp_error function causes
mbuf memory corruption,
and later a kernel panic.
I believe this caused the problem reported by Andrew Alston in this mailing
list on 12.6.2000.
I suggest adding a variable:
struct ip save_ip_head;
Replacing the m_copydata line with:
m_copydata(mcopy, 0, sizeof(struct ip), &save_ip_head);
And the same with the m_copyback line.
Ido Barnea
_________________________________________
Get Your Free Virus Protection Tool at http://www.VCatch.com
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-hackers" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?3a912cee.150.0>