netbsd-bugs: kern/6281: Two pings will crash NetBSD 1.3.2 using ipnat

Subject: kern/6281: Two pings will crash NetBSD 1.3.2 using ipnat
To: None <gnats-bugs@gnats.netbsd.org>
From: None <Emmanuel.Dreyfus@gizmo.minet.net>
List: netbsd-bugs
Date: 10/12/1998 20:31:08

>Number:         6281
>Category:       kern
>Synopsis:       Two pings will crash NetBSD 1.3.2 using ipnat
>Confidential:   no
>Severity:       critical
>Priority:       medium
>Responsible:    kern-bug-people (Kernel Bug People)
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Mon Oct 12 11:35:00 1998
>Last-Modified:
>Originator:     Emmanuel Dreyfus
>Organization:
>Release:        NetBSD-1.3.2 with ipnat patch
>Environment:
>Description:

The system is an Apple MacIIci running NetBSD 1.3.2 with the three recommanded patches (ipnat, uucp and dhcp). It has 3 ethernet boards:
ae0: 10.0.2.1/24 (leads to 10.0.2.25, 10.0.2.4 and 10.0.2.16)
ae1: 157.158.41.34/24 (connected to the internet)
ae2: 10.0.4.1/24 (not connected to anything yet)

Here is my /etc/ipnat.conf:
map ae1 10.0.2.0/24 -> 157.159.41.34/32 portmap tcp/udp 1025:65535
map ae1 10.0.2.0/24 -> 157.159.41.34/32
map ae1 10.0.8.0/24 -> 157.159.41.34/32 portmap tcp/udp 1025:65535
map ae1 10.0.8.0/24 -> 157.159.41.34/32
map ae1 10.0.4.0/24 -> 157.159.41.34/32 portmap tcp/udp 1025:65535
map ae1 10.0.4.0/24 -> 157.159.41.34/32

(And a few rdr)

Now, ping 157.159.40.54 from both 10.0.2.25 and 10.0.2.4 at the same time. 
The NetBSD box simply crashes, without any warning. Nothing in the logs, nothing printed on the console.

With thoses rules:
map ae1 10.0.2.0/24 -> 157.159.41.34/32 portmap tcp/udp 1025:65535
map ae1 10.0.8.0/24 -> 157.159.41.34/32 portmap tcp/udp 1025:65535
map ae1 10.0.4.0/24 -> 157.159.41.34/32 portmap tcp/udp 1025:65535

machines of 10.0.2.0/24 cannot ping machines outside 10.0.2.0/24, but the NetBSD box do not get crashed with double ping.

>How-To-Repeat:

Simply reproduce the above config. I did reproduce the bug without any problem.

>Fix:

The kernel probably get confused with multiples pings getting back. Maybe the problem is fixed in NetBSD-current, excuse me if it is. 
>Audit-Trail:
>Unformatted:
>System: NetBSD gizmo 1.3.2 NetBSD 1.3.2 (SYSTEM) #0: Fri Jul 31 16:25:25 PDT 1998 root@gizmo.hcp.net:/usr/src/sys/arch/mac68k/compile/SYSTEM mac68k