panics :( Re: fresh mac code report

Fri Jan 25 16:03:05 GMT 2002

On Fri, 25 Jan 2002, Ilmar S. Habibulin wrote:

> On Fri, 25 Jan 2002, Robert Watson wrote:
> 
> > I assume this is from sending a UDP packet to a port that isn't open on
> > your machine, from the input path.
> I have cvs repository exported via NFS. But the thing is, that i can use
> cvs with out any problem.
> Maybe this is mozilla? I have strange dns lookup problems.
> Anyway - the bugs must be elliminated! ;-)

Perforce change 5869 made a few minutes ago should fix this problem; 
basically, it was a mis-reading of the ip_icmp.c code on my part.  This
stuff is not in its final form, but you should no longer get panics when
sending UDP packets to non-open ports.

Change 5869 by rwatson at rwatson_tislabs on 2002/01/25 07:52:11

        Fix labeling of ICMP errors generated in ip_icmp.c.  Originally,
        I put in only a comment, believing that the mbuf containing the
        datagram being responded to would be reused for the response, as
        is the case in some link layer code, such as ARP.  However, that
        is not the case: a fresh mbuf is allocated, and that needs to be
        labeled, or a panic can result when the uninitialized label
        reaches an output function relying on the label (such as
        interface transmission).  This change adds support for setting
        that label.

        o Introduce a new MAC API call,
          'mac_create_mbuf_netlayer_from_mbuf(m1, m2)', which accepts a
          reference to an existing mbuf at the network layer, and a
          reference to a partially initialized mbuf that will be the
          response.  

        o Invoke this call in ip_icmp.c where an ICMP response is being
          generated as a result of an incoming IP packet.

        o Introduce a new per-policy version of the API call,
          mpo_create_mbuf_netlayer_from_mbuf(), and invoke this from the
          MAC call.

        o Implement per-policy versions of this call, which for now will
          all copy the label from the incoming packet directly.

        This fixes panics on receiving a UDP packet for a port that is not
        open; this problem reported by Ilmar Habibulin.

Affected files ...

... //depot/projects/trustedbsd/mac/sys/kern/kern_mac.c#80 edit
... //depot/projects/trustedbsd/mac/sys/kern/kern_mac_biba.c#86 edit
... //depot/projects/trustedbsd/mac/sys/kern/kern_mac_mls.c#80 edit
... //depot/projects/trustedbsd/mac/sys/kern/kern_mac_te.c#92 edit
... //depot/projects/trustedbsd/mac/sys/netinet/ip_icmp.c#6 edit
... //depot/projects/trustedbsd/mac/sys/sys/mac.h#63 edit
... //depot/projects/trustedbsd/mac/sys/sys/mac_policy.h#28 edit

To Unsubscribe: send mail to majordomo at trustedbsd.org
with "unsubscribe trustedbsd-discuss" in the body of the message