kern/149937: kernel panic in ipfilter IP fragments with TCP paylaod in reverse order

Jens jens.kassel at servicefactory.com
Thu Aug 26 11:40:06 UTC 2010 

The following reply was made to PR kern/149937; it has been noted by GNATS.

From: "Jens" <jens.kassel at servicefactory.com>
To: <bug-followup at FreeBSD.org>
Cc:  
Subject: Re: kern/149937: kernel panic in ipfilter IP fragments with TCP paylaod in reverse order
Date: Thu, 26 Aug 2010 13:23:07 +0200

 This is a multi-part message in MIME format.
 
 ------=_NextPart_000_004B_01CB4521.D27F8180
 Content-Type: text/plain;
 	charset="us-ascii"
 Content-Transfer-Encoding: 7bit
 
 Use this patch instead
 
  
 
 --- ip_nat.c.orig       2009-04-15 05:14:26.000000000 +0200
 
 +++ ip_nat.c    2010-08-26 13:14:32.000000000 +0200
 
 @@ -3783,7 +3783,16 @@
 
         else if ((nat = nat_outlookup(fin, nflags|NAT_SEARCH,
 (u_int)fin->fin_p,
 
                                       fin->fin_src, fin->fin_dst))) {
 
                 nflags = nat->nat_flags;
 
 -       } else {
 
 +       }
 
 +       else if ((fin->fin_p == IPPROTO_TCP) &&
 
 +               ((fin->fin_off != 0) || (fin->fin_flx & FI_SHORT)))
 
 +       {
 
 +               /* Discard TCP IP fragmentes without matching NAT rule
 
 +               (or if fragment lock is set) if offset is nonezero */
 
 +               nat = NULL;
 
 +               nat_stats.ns_badnat++;
 
 +       }
 
 +       else {
 
                 u_32_t hv, msk, nmsk;
 
  
 
                 /*
 
 @@ -4078,7 +4087,16 @@
 
         else if ((nat = nat_inlookup(fin, nflags|NAT_SEARCH,
 (u_int)fin->fin_p,
 
                                      fin->fin_src, in))) {
 
                 nflags = nat->nat_flags;
 
 -       } else {
 
 +       }
 
 +       else if ((fin->fin_p == IPPROTO_TCP) &&
 
 +               ((fin->fin_off != 0) || (fin->fin_flx & FI_SHORT)))
 
 +       {
 
 +               /* Discard TCP IP fragmentes without matching NAT rule
 
 +               (or if fragment lock is set) if offset is nonezero */
 
 +               nat = NULL;
 
 +               nat_stats.ns_badnat++;
 
 +       }
 
 +       else {
 
                 u_32_t hv, msk, rmsk;
 
  
 
                 RWLOCK_EXIT(&ipf_nat);
 
 
 ------=_NextPart_000_004B_01CB4521.D27F8180
 Content-Type: text/html;
 	charset="us-ascii"
 Content-Transfer-Encoding: quoted-printable
 
 <html xmlns:v=3D"urn:schemas-microsoft-com:vml" =
 xmlns:o=3D"urn:schemas-microsoft-com:office:office" =
 xmlns:w=3D"urn:schemas-microsoft-com:office:word" =
 xmlns:x=3D"urn:schemas-microsoft-com:office:excel" =
 xmlns:p=3D"urn:schemas-microsoft-com:office:powerpoint" =
 xmlns:a=3D"urn:schemas-microsoft-com:office:access" =
 xmlns:dt=3D"uuid:C2F41010-65B3-11d1-A29F-00AA00C14882" =
 xmlns:s=3D"uuid:BDC6E3F0-6DA3-11d1-A2A3-00AA00C14882" =
 xmlns:rs=3D"urn:schemas-microsoft-com:rowset" xmlns:z=3D"#RowsetSchema" =
 xmlns:b=3D"urn:schemas-microsoft-com:office:publisher" =
 xmlns:ss=3D"urn:schemas-microsoft-com:office:spreadsheet" =
 xmlns:c=3D"urn:schemas-microsoft-com:office:component:spreadsheet" =
 xmlns:odc=3D"urn:schemas-microsoft-com:office:odc" =
 xmlns:oa=3D"urn:schemas-microsoft-com:office:activation" =
 xmlns:html=3D"http://www.w3.org/TR/REC-html40" =
 xmlns:q=3D"http://schemas.xmlsoap.org/soap/envelope/" =
 xmlns:rtc=3D"http://microsoft.com/officenet/conferencing" =
 xmlns:D=3D"DAV:" xmlns:Repl=3D"http://schemas.microsoft.com/repl/" =
 xmlns:mt=3D"http://schemas.microsoft.com/sharepoint/soap/meetings/" =
 xmlns:x2=3D"http://schemas.microsoft.com/office/excel/2003/xml" =
 xmlns:ppda=3D"http://www.passport.com/NameSpace.xsd" =
 xmlns:ois=3D"http://schemas.microsoft.com/sharepoint/soap/ois/" =
 xmlns:dir=3D"http://schemas.microsoft.com/sharepoint/soap/directory/" =
 xmlns:ds=3D"http://www.w3.org/2000/09/xmldsig#" =
 xmlns:dsp=3D"http://schemas.microsoft.com/sharepoint/dsp" =
 xmlns:udc=3D"http://schemas.microsoft.com/data/udc" =
 xmlns:xsd=3D"http://www.w3.org/2001/XMLSchema" =
 xmlns:sub=3D"http://schemas.microsoft.com/sharepoint/soap/2002/1/alerts/"=
  xmlns:ec=3D"http://www.w3.org/2001/04/xmlenc#" =
 xmlns:sp=3D"http://schemas.microsoft.com/sharepoint/" =
 xmlns:sps=3D"http://schemas.microsoft.com/sharepoint/soap/" =
 xmlns:xsi=3D"http://www.w3.org/2001/XMLSchema-instance" =
 xmlns:udcs=3D"http://schemas.microsoft.com/data/udc/soap" =
 xmlns:udcxf=3D"http://schemas.microsoft.com/data/udc/xmlfile" =
 xmlns:udcp2p=3D"http://schemas.microsoft.com/data/udc/parttopart" =
 xmlns:wf=3D"http://schemas.microsoft.com/sharepoint/soap/workflow/" =
 xmlns:dsss=3D"http://schemas.microsoft.com/office/2006/digsig-setup" =
 xmlns:dssi=3D"http://schemas.microsoft.com/office/2006/digsig" =
 xmlns:mdssi=3D"http://schemas.openxmlformats.org/package/2006/digital-sig=
 nature" =
 xmlns:mver=3D"http://schemas.openxmlformats.org/markup-compatibility/2006=
 " xmlns:m=3D"http://schemas.microsoft.com/office/2004/12/omml" =
 xmlns:mrels=3D"http://schemas.openxmlformats.org/package/2006/relationshi=
 ps" xmlns:spwp=3D"http://microsoft.com/sharepoint/webpartpages" =
 xmlns:ex12t=3D"http://schemas.microsoft.com/exchange/services/2006/types"=
  =
 xmlns:ex12m=3D"http://schemas.microsoft.com/exchange/services/2006/messag=
 es" =
 xmlns:pptsl=3D"http://schemas.microsoft.com/sharepoint/soap/SlideLibrary/=
 " =
 xmlns:spsl=3D"http://microsoft.com/webservices/SharePointPortalServer/Pub=
 lishedLinksService" xmlns:Z=3D"urn:schemas-microsoft-com:" =
 xmlns:st=3D"&#1;" xmlns=3D"http://www.w3.org/TR/REC-html40">
 
 <head>
 <META HTTP-EQUIV=3D"Content-Type" CONTENT=3D"text/html; =
 charset=3Dus-ascii">
 <meta name=3DGenerator content=3D"Microsoft Word 12 (filtered medium)">
 <style>
 <!--
  /* Font Definitions */
  @font-face
 	{font-family:"Cambria Math";
 	panose-1:2 4 5 3 5 4 6 3 2 4;}
 @font-face
 	{font-family:Calibri;
 	panose-1:2 15 5 2 2 2 4 3 2 4;}
  /* Style Definitions */
  p.MsoNormal, li.MsoNormal, div.MsoNormal
 	{margin:0cm;
 	margin-bottom:.0001pt;
 	font-size:11.0pt;
 	font-family:"Calibri","sans-serif";}
 a:link, span.MsoHyperlink
 	{mso-style-priority:99;
 	color:blue;
 	text-decoration:underline;}
 a:visited, span.MsoHyperlinkFollowed
 	{mso-style-priority:99;
 	color:purple;
 	text-decoration:underline;}
 span.EmailStyle17
 	{mso-style-type:personal-compose;
 	font-family:"Calibri","sans-serif";
 	color:windowtext;}
 .MsoChpDefault
 	{mso-style-type:export-only;}
 @page WordSection1
 	{size:612.0pt 792.0pt;
 	margin:70.85pt 70.85pt 70.85pt 70.85pt;}
 div.WordSection1
 	{page:WordSection1;}
 -->
 </style>
 <!--[if gte mso 9]><xml>
  <o:shapedefaults v:ext=3D"edit" spidmax=3D"1026" />
 </xml><![endif]--><!--[if gte mso 9]><xml>
  <o:shapelayout v:ext=3D"edit">
   <o:idmap v:ext=3D"edit" data=3D"1" />
  </o:shapelayout></xml><![endif]-->
 </head>
 
 <body lang=3DSV link=3Dblue vlink=3Dpurple>
 
 <div class=3DWordSection1>
 
 <p class=3DMsoNormal>Use this patch instead<o:p></o:p></p>
 
 <p class=3DMsoNormal><o:p>&nbsp;</o:p></p>
 
 <p class=3DMsoNormal>--- =
 ip_nat.c.orig&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 2009-04-15 =
 05:14:26.000000000 +0200<o:p></o:p></p>
 
 <p class=3DMsoNormal>+++ ip_nat.c&nbsp;&nbsp;&nbsp; 2010-08-26 =
 13:14:32.000000000 +0200<o:p></o:p></p>
 
 <p class=3DMsoNormal><span lang=3DEN-US>@@ -3783,7 +3783,16 =
 @@<o:p></o:p></span></p>
 
 <p class=3DMsoNormal><span =
 lang=3DEN-US>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; else if ((nat =
 =3D nat_outlookup(fin,
 nflags|NAT_SEARCH, (u_int)fin-&gt;fin_p,<o:p></o:p></span></p>
 
 <p class=3DMsoNormal><span =
 lang=3DEN-US>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;=
 &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&=
 nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&n=
 bsp;&nbsp;&nbsp; </span>fin-&gt;fin_src,
 fin-&gt;fin_dst))) {<o:p></o:p></p>
 
 <p =
 class=3DMsoNormal>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&=
 nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; nflags =3D =
 nat-&gt;nat_flags;<o:p></o:p></p>
 
 <p class=3DMsoNormal>-&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; } else =
 {<o:p></o:p></p>
 
 <p class=3DMsoNormal><span =
 lang=3DEN-US>+&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; =
 }<o:p></o:p></span></p>
 
 <p class=3DMsoNormal><span =
 lang=3DEN-US>+&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; else if =
 ((fin-&gt;fin_p =3D=3D
 IPPROTO_TCP) &amp;&amp;<o:p></o:p></span></p>
 
 <p class=3DMsoNormal><span =
 lang=3DEN-US>+&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp=
 ;&nbsp;&nbsp;&nbsp;&nbsp; ((fin-&gt;fin_off !=3D 0) ||
 (fin-&gt;fin_flx &amp; FI_SHORT)))<o:p></o:p></span></p>
 
 <p class=3DMsoNormal><span lang=3DEN-US>+ =
 &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;{<o:p></o:p></span></p>
 
 <p class=3DMsoNormal><span =
 lang=3DEN-US>+&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp=
 ;&nbsp;&nbsp;&nbsp;&nbsp; /* Discard TCP IP
 fragmentes without matching NAT rule<o:p></o:p></span></p>
 
 <p class=3DMsoNormal><span =
 lang=3DEN-US>+&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp=
 ;&nbsp;&nbsp;&nbsp;&nbsp; (or if fragment lock is
 set) if offset is nonezero */<o:p></o:p></span></p>
 
 <p =
 class=3DMsoNormal>+&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;=
 &nbsp;&nbsp;&nbsp;&nbsp;&nbsp; nat =3D NULL;<o:p></o:p></p>
 
 <p =
 class=3DMsoNormal>+&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;=
 &nbsp;&nbsp;&nbsp;&nbsp;&nbsp; nat_stats.ns_badnat++;<o:p></o:p></p>
 
 <p class=3DMsoNormal>+&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; =
 }<o:p></o:p></p>
 
 <p class=3DMsoNormal>+&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; else =
 {<o:p></o:p></p>
 
 <p =
 class=3DMsoNormal>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&=
 nbsp;&nbsp;&nbsp;&nbsp;&nbsp; &nbsp;u_32_t hv, msk, nmsk;<o:p></o:p></p>
 
 <p class=3DMsoNormal><o:p>&nbsp;</o:p></p>
 
 <p =
 class=3DMsoNormal>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&=
 nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; /*<o:p></o:p></p>
 
 <p class=3DMsoNormal>@@ -4078,7 +4087,16 @@<o:p></o:p></p>
 
 <p class=3DMsoNormal>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; else if =
 ((nat =3D nat_inlookup(fin, nflags|NAT_SEARCH,
 (u_int)fin-&gt;fin_p,<o:p></o:p></p>
 
 <p =
 class=3DMsoNormal>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&=
 nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&n=
 bsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nb=
 sp;&nbsp;&nbsp; fin-&gt;fin_src, in)))
 {<o:p></o:p></p>
 
 <p =
 class=3DMsoNormal>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&=
 nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; nflags =3D =
 nat-&gt;nat_flags;<o:p></o:p></p>
 
 <p class=3DMsoNormal><span =
 lang=3DEN-US>-&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; } else =
 {<o:p></o:p></span></p>
 
 <p class=3DMsoNormal><span =
 lang=3DEN-US>+&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; =
 }<o:p></o:p></span></p>
 
 <p class=3DMsoNormal><span =
 lang=3DEN-US>+&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; else if =
 ((fin-&gt;fin_p =3D=3D
 IPPROTO_TCP) &amp;&amp;<o:p></o:p></span></p>
 
 <p class=3DMsoNormal><span =
 lang=3DEN-US>+&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp=
 ;&nbsp;&nbsp;&nbsp;&nbsp; ((fin-&gt;fin_off !=3D 0) ||
 (fin-&gt;fin_flx &amp; FI_SHORT)))<o:p></o:p></span></p>
 
 <p class=3DMsoNormal><span =
 lang=3DEN-US>+&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; =
 {<o:p></o:p></span></p>
 
 <p class=3DMsoNormal><span =
 lang=3DEN-US>+&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp=
 ;&nbsp;&nbsp;&nbsp;&nbsp; /* Discard TCP IP
 fragmentes without matching NAT rule<o:p></o:p></span></p>
 
 <p class=3DMsoNormal><span =
 lang=3DEN-US>+&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp=
 ;&nbsp;&nbsp;&nbsp;&nbsp; (or if fragment lock is set)
 if offset is nonezero */<o:p></o:p></span></p>
 
 <p =
 class=3DMsoNormal>+&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;=
 &nbsp;&nbsp;&nbsp;&nbsp;&nbsp; nat =3D NULL;<o:p></o:p></p>
 
 <p =
 class=3DMsoNormal>+&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;=
 &nbsp;&nbsp;&nbsp;&nbsp;&nbsp; nat_stats.ns_badnat++;<o:p></o:p></p>
 
 <p class=3DMsoNormal>+&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; =
 }<o:p></o:p></p>
 
 <p class=3DMsoNormal>+&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; else =
 {<o:p></o:p></p>
 
 <p =
 class=3DMsoNormal>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&=
 nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; u_32_t hv, msk, rmsk;<o:p></o:p></p>
 
 <p class=3DMsoNormal><o:p>&nbsp;</o:p></p>
 
 <p =
 class=3DMsoNormal>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&=
 nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; =
 RWLOCK_EXIT(&amp;ipf_nat);<o:p></o:p></p>
 
 </div>
 
 </body>
 
 </html>
 
 ------=_NextPart_000_004B_01CB4521.D27F8180--

More information about the freebsd-bugs mailing list