Date: Thu, 8 Mar 2001 13:40:44 -0800 (PST) From: "Rodney W. Grimes" <freebsd@gndrsh.dnsmgr.net> To: phk@critter.freebsd.dk (Poul-Henning Kamp) Cc: iedowse@FreeBSD.org (Ian Dowse), cvs-committers@FreeBSD.org, cvs-all@FreeBSD.org Subject: Re: cvs commit: src/sys/netinet ip_icmp.c ip_input.c Message-ID: <200103082140.NAA26756@gndrsh.dnsmgr.net> In-Reply-To: <24132.984086792@critter> from Poul-Henning Kamp at "Mar 8, 2001 10:26:32 pm"
next in thread | previous in thread | raw e-mail | index | archive | help
> > Yah! Good work! Yea, that was an odd one! > Is this by any chance related to the DUMMYNET problem rgrimes > reported ? I don't think so. I've looked at what changed in 4.3 since the end of february when dummynet worked fine, and it looks like one merge from current was done. This was the per interface stats counter stuff, and it looks like it may be possible to deref a null ia->ia_ifa in the DUMMYNET case, though this is from all of a 3 minute look at the diff. Also this patch doesnt touch ip_output, which is where the panic occurs. > Poul-Henning > > In message <200103081903.f28J3Rp36712@freefall.freebsd.org>, Ian Dowse writes: > >iedowse 2001/03/08 11:03:26 PST > > > > Modified files: > > sys/netinet ip_icmp.c ip_input.c > > Log: > > It was possible for ip_forward() to supply to icmp_error() > > an IP header with ip_len in network byte order. For certain > > values of ip_len, this could cause icmp_error() to write > > beyond the end of an mbuf, causing mbuf free-list corruption. > > This problem was observed during generation of ICMP redirects. > > > > We now make quite sure that the copy of the IP header kept > > for icmp_error() is stored in a non-shared mbuf header so > > that it will not be modified by ip_output(). > > > > Also: > > > > Reported by: Mike Tancsa <mike@sentex.net> > > Many thanks to Mike for stalking this bug out ! > > -- > Poul-Henning Kamp | UNIX since Zilog Zeus 3.20 > phk@FreeBSD.ORG | TCP/IP since RFC 956 > FreeBSD committer | BSD since 4.3-tahoe > Never attribute to malice what can adequately be explained by incompetence. > -- Rod Grimes - KD7CAX @ CN85sl - (RWG25) rgrimes@gndrsh.dnsmgr.net To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe cvs-all" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200103082140.NAA26756>