kern/145736: Access to freed mbuf in ip_forward with IPSEC enabled
Peter Molnar
peter at molnar.cc
Thu Apr 15 23:20:02 UTC 2010
>Number: 145736
>Category: kern
>Synopsis: Access to freed mbuf in ip_forward with IPSEC enabled
>Confidential: no
>Severity: serious
>Priority: low
>Responsible: freebsd-bugs
>State: open
>Quarter:
>Keywords:
>Date-Required:
>Class: sw-bug
>Submitter-Id: current-users
>Arrival-Date: Thu Apr 15 23:20:01 UTC 2010
>Closed-Date:
>Last-Modified:
>Originator: Peter Molnar
>Release: RELENG_7_0_0_RELEASE
>Organization:
>Environment:
>Description:
Test setup:
A FreeBSD machine acts as a router and is connected to a WAN and a LAN. The traffic routed into the WAN is IPSEC encrypted. The TCP traffic originating from a machine in the LAN does not fit the MTU on the WAN link and PMTU discovery comes to action.
Detailed problem description:
* At some point the routed packet reaches ip_forward (sys/netinet/ip_input.c).
* The packet is passed in the paramter m to the routine ip_output (sys/netinet/ip_output.c).
* The packet does not fit the MTU, so EMSGSIZE is returned and the routine is exited via the label bad.
* The mbuf m is freed using m_free.
* Control flow returns to ip_forward.
* ip_ipsec_mtu is called on the mbuf m.
>How-To-Repeat:
>Fix:
Patch attached with submission follows:
diff --git a/sys/netinet/ip_input.c b/sys/netinet/ip_input.c
index acd1e17..d296299 100644
--- a/sys/netinet/ip_input.c
+++ b/sys/netinet/ip_input.c
@@ -1403,7 +1403,7 @@ ip_forward(struct mbuf *m, int srcrt)
code = ICMP_UNREACH_NEEDFRAG;
#ifdef IPSEC
- mtu = ip_ipsec_mtu(m);
+ mtu = ip_ipsec_mtu(mcopy);
#endif /* IPSEC */
/*
* If the MTU wasn't set before use the interface mtu or
>Release-Note:
>Audit-Trail:
>Unformatted:
More information about the freebsd-bugs
mailing list