NetBSD-Bugs archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

kern/43484: wrong length in "larger" icmp packets when IPF enabled



>Number:         43484
>Category:       kern
>Synopsis:       wrong length in "larger" icmp packets when IPF enabled
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    kern-bug-people
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Wed Jun 16 02:05:00 +0000 2010
>Originator:     Mark Davies
>Release:        NetBSD 5.0_STABLE
>Organization:
ECS, Victoria Uni. of Wellington, New Zealand.
>Environment:
        
        
System: NetBSD city-art.ecs.vuw.ac.nz 5.0_STABLE NetBSD 5.0_STABLE 
(ECS_WORKSTATION) #7: Sun Feb 28 09:13:18 NZDT 2010 
mark%turakirae.ecs.vuw.ac.nz@localhost:/local/SAVE/build.obj/src/work/5/src/sys/arch/i386/compile/ECS_WORKSTATION
 i386
Architecture: i386
Machine: i386
>Description:
        IPF seems to be producing IP packets with the length field byteswapped 
        for ICMP packets that it relays larger than 200 bytes in size (including
        the ip header).

        First noticed with a 5.0_RC3/i386 system. Problem still there with a
        5.1_RC3/i386 system and a -current snapshot from yesterday.

        http://ecs.victoria.ac.nz/~mark/inside3.pcap contains a tcpdump trace 
        captured on the internal interface of the box running ipf
        showing 12 icmp port unreachable packets, and the outgoing packets
        that caused them.

        The first 4 are length 200 and pass through OK.
        The second 4 are length 201 but have length 51456 (201 byte swapped)
        recorded and have incorrect ip header checksums.
        The last 4 are length 201 but ipf has been disabled and they pass
        through OK.

        
>How-To-Repeat:
        Enable IPF on a machine acting as a router with the following
        minimal ruleset 
                pass in all
                pass out all

        use scamper from a machine on one side of the router to a machine
        on the other to cause icmp port unreachable packets of a particular
        size be generated.

        scamper -c 'ping -P udp -s 172' -i a.b.c.d
        scamper -c 'ping -P udp -s 173' -i a.b.c.d

        observe the first succeed and the second fail.
        
>Fix:
        unknown
        

>Unformatted:
        
        


Home | Main Index | Thread Index | Old Index