netbsd-bugs: kern/26839: ipfilter with IPv6 can dereference a NULL pointer

Subject: kern/26839: ipfilter with IPv6 can dereference a NULL pointer
To: None <gnats-bugs@gnats.NetBSD.org>
From: None <pavel.cahyna@st.mff.cuni.cz>
List: netbsd-bugs
Date: 09/03/2004 09:47:02
>Number:         26839
>Category:       kern
>Synopsis:       ipfilter with IPv6 can dereference a NULL pointer
>Confidential:   no
>Severity:       serious
>Priority:       high
>Responsible:    kern-bug-people
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Fri Sep 03 09:48:00 UTC 2004
>Closed-Date:
>Last-Modified:
>Originator:     Pavel Cahyna
>Release:        2.0_BETA
>Organization:
>Environment:
NetBSD pcap 2.0_BETA NetBSD 2.0_BETA (PCAP_TPC - zalozeno na GENERIC-$Revision: 1.4 $, pridan patch na regulaci vykonu, zkompilovano s WI_DEBUG) #13: Sun Aug 29 17:41:57 CEST 2004  pavel@pc:/home/pavel/kompilace/jadra/compile/PCAP_TPC i386
>Description:
The function fr_coalesce assumes that the fin->fin_mp and fin->fin_m pointers will be non-NULL:

int fr_coalesce(fin)
fr_info_t *fin;
{
#if !defined(__sgi) && defined(_KERNEL)
	if (fr_pullup(fin->fin_m, fin, fin->fin_plen) == NULL) {
		ATOMIC_INCL(fr_badcoalesces[fin->fin_out]);
# ifdef MENTAT
		FREE_MB_T(*fin->fin_mp);
# endif
		*fin->fin_mp = NULL;
...

But frpr_ipv6hdr, which calls fr_coalesce at several places, is called from fr_makefrip, which is called from fr_checkicmp6matchingstate, as in this backtrace:

#9  0xc012c8f2 in frpr_ipv6hdr (fin=0xc0a89b00)
    at /usr/src/sys/netinet/fil.c:464
#10 0xc0128b8d in fr_makefrip (hlen=0, ip=0x0, fin=0xc0a89b00)
    at /usr/src/sys/netinet/fil.c:1330
#11 0xc013f329 in fr_checkicmp6matchingstate (fin=0xc0a89cb0)
    at /usr/src/sys/netinet/ip_state.c:3347
#12 0xc013e2dc in fr_stlookup (fin=0xc0a89cb0, tcp=0xc290c048, ifqp=0xc0a89c78)
    at /usr/src/sys/netinet/ip_state.c:2154
#13 0xc013e73f in fr_checkstate (fin=0xc0a89cb0, passp=0x0)
    at /usr/src/sys/netinet/ip_state.c:2378
#14 0xc0129839 in fr_check (ip=0xc0a89cac, hlen=40, ifp=0x0, out=0, 
    mp=0xc0a89db8) at /usr/src/sys/netinet/fil.c:2350
#15 0xc012d95b in fr_check_wrapper6 (arg=0x0, mp=0x0, ifp=0xc0b8f034, dir=1)
    at /usr/src/sys/netinet/ip_fil_netbsd.c:183
#16 0xc03c0067 in pfil_run_hooks (ph=0x0, mp=0xc0a89e50, ifp=0xc0b8f034, dir=1)
    at /usr/src/sys/net/pfil.c:69
#17 0xc014ccaa in ip6_input (m=0xc0d1bd00)
    at /usr/src/sys/netinet6/ip6_input.c:317
#18 0xc014c24d in ip6intr () at /usr/src/sys/netinet6/ip6_input.c:212
#19 0xc0102ac9 in Xsoftnet ()

The problem is that fr_checkicmp6matchingstate sets those fields to NULL in the fin structure that is passed down:

	ofin.fin_m = NULL;	/* if dereferenced, panic XXX */
	ofin.fin_mp = NULL;	/* if dereferenced, panic XXX */

	/*
	 * We make a fin entry to be able to feed it to
	 * matchsrcdst. Note that not all fields are necessary
	 * but this is the cleanest way. Note further we fill
	 * in fin_mp such that if someone uses it we'll get
	 * a kernel panic. fr_matchsrcdst does not use this.
	 *
	 * watch out here, as ip is in host order and oip6 in network
	 * order. Any change we make must be undone afterwards.
	 */
...
(void) fr_makefrip(sizeof(*oip6), (ip_t *)oip6, &ofin);


>How-To-Repeat:

>Fix:
Yes, please.
>Release-Note:
>Audit-Trail:
>Unformatted: