Subject: kern/30835: pf panic with synproxy rules
To: None <,,>
From: None <>
List: netbsd-bugs
Date: 07/26/2005 06:17:00
>Number:         30835
>Category:       kern
>Synopsis:       pf panic with synproxy rules
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    kern-bug-people
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Tue Jul 26 06:17:00 +0000 2005
>Originator:     Akihiro Sagawa
>Release:        NetBSD 3.99.7
System: NetBSD potato 3.99.7 NetBSD 3.99.7 (POTATO) #1: Thu Jul 14 21:13:09 JST 2005 sagawa@cactus:/usr/src/netbsd/obj/sys/arch/i386/compile/POTATO i386

kernel panics when pf recieves a packet which matches synproxy rules.

	1. Make a kernel with pf support, and reboot to use the kernel.
	   ex. add below config to GENERIC config
		pseudo-device	pf
		pseudo-device	pflog

	2. Write a synproxy rule, and enable it.
	   ex. edit /etc/pf.conf
		pass in on fxp0 proto tcp from any to any flags S/SA synproxy state
	       pfctl -f /etc/pf.conf

	3. Send a TCP packet from another host to the host.
	   ex. telnet target_host

	On pf.c (rev.1.17) line 6496, *mp(*m0) is set to NULL even action = PF_PASS when using
	synproxy (previously action value was PF_SYNPROXY_DROP).

	Therefore we need check whether *mp is NULL.

--- src/sys/dist/pf/net/pf_ioctl.c.orig 2005-07-11 20:18:59.000000000 +0900
+++ src/sys/dist/pf/net/pf_ioctl.c	2005-07-16 05:27:31.000000000 +0900
@@ -2995,7 +2995,7 @@
 	 * we're not compatible with fast-forward.

-	if (dir == PFIL_IN) {
+	if (dir == PFIL_IN && *mp) {
 		(*mp)->m_flags &= ~M_CANFASTFWD;