[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
kern/43484: wrong length in "larger" icmp packets when IPF enabled
>Synopsis: wrong length in "larger" icmp packets when IPF enabled
>Arrival-Date: Wed Jun 16 02:05:00 +0000 2010
>Originator: Mark Davies
>Release: NetBSD 5.0_STABLE
ECS, Victoria Uni. of Wellington, New Zealand.
System: NetBSD city-art.ecs.vuw.ac.nz 5.0_STABLE NetBSD 5.0_STABLE
(ECS_WORKSTATION) #7: Sun Feb 28 09:13:18 NZDT 2010
IPF seems to be producing IP packets with the length field byteswapped
for ICMP packets that it relays larger than 200 bytes in size (including
the ip header).
First noticed with a 5.0_RC3/i386 system. Problem still there with a
5.1_RC3/i386 system and a -current snapshot from yesterday.
http://ecs.victoria.ac.nz/~mark/inside3.pcap contains a tcpdump trace
captured on the internal interface of the box running ipf
showing 12 icmp port unreachable packets, and the outgoing packets
that caused them.
The first 4 are length 200 and pass through OK.
The second 4 are length 201 but have length 51456 (201 byte swapped)
recorded and have incorrect ip header checksums.
The last 4 are length 201 but ipf has been disabled and they pass
Enable IPF on a machine acting as a router with the following
pass in all
pass out all
use scamper from a machine on one side of the router to a machine
on the other to cause icmp port unreachable packets of a particular
size be generated.
scamper -c 'ping -P udp -s 172' -i a.b.c.d
scamper -c 'ping -P udp -s 173' -i a.b.c.d
observe the first succeed and the second fail.
Main Index |
Thread Index |