Re: kern/46697

[6bone%6bone.informatik.uni-leipzig.de@localhost]

perhaps it is the same problem as kern/50629? Christos Zoulas wrote a 
workaround and applied it to netbsd-7

Regards
Uwe

On Fri, 29 Apr 2016, Patrick Welche wrote:

> Date: Fri, 29 Apr 2016 16:20:01 +0000 (UTC)
> From: Patrick Welche <prlw1%cam.ac.uk@localhost>
> Reply-To: gnats-bugs%NetBSD.org@localhost
> To: kern-bug-people%netbsd.org@localhost, gnats-admin%netbsd.org@localhost,
>     netbsd-bugs%netbsd.org@localhost, 6bone%6bone.informatik.uni-leipzig.de@localhost
> Subject: Re: kern/46697
>
> The following reply was made to PR kern/46697; it has been noted by GNATS.
>
> From: Patrick Welche <prlw1%cam.ac.uk@localhost>
> To: gnats-bugs%netbsd.org@localhost
> Cc:
> Subject: Re: kern/46697
> Date: Fri, 29 Apr 2016 17:17:28 +0100
>
> FWIW according to your coredump, the problem is at
>
> src/sys/dist/ipf/netinet/fil.c:759
>
>    750                  case ICMP6_DST_UNREACH :
>    751                  case ICMP6_PACKET_TOO_BIG :
>    752                  case ICMP6_TIME_EXCEEDED :
>    753                  case ICMP6_PARAM_PROB :
>    754                          fin->fin_flx |= FI_ICMPERR;
>    755                          minicmpsz = ICMP6ERR_IPICMPHLEN - sizeof(ip6_t);
>    756                          if (fin->fin_plen < ICMP6ERR_IPICMPHLEN)
>    757                                  break;
>    758
>    759                          if (M_LEN(fin->fin_m) < fin->fin_plen) {
>    760                                  if (fr_coalesce(fin) != 1)
>    761                                          return;
>    762                          }
>
> where fin->fin_m = 0x0, so M_LEN(fin->fin_m) dereferences 0.
>
> (gdb) print *fin
> $1 = {fin_ifp = 0xfffffe803dcca008, fin_fi = {fi_v = 6, fi_xx = 0, fi_tos = 0,
>     fi_ttl = 126, fi_p = 58, fi_optmsk = 8, fi_src = {i6 = {1807811104, 11110,
>         0, 728132545}, in4 = {s_addr = 1807811104}, in6 = {__u6_addr = {
>           __u6_addr8 = " \002\301kf+\000\000\000\000\000\000\301kf+",
>           __u6_addr16 = {544, 27585, 11110, 0, 0, 0, 27585, 11110},
>           __u6_addr32 = {1807811104, 11110, 0, 728132545}}}, vptr = {
>         0x2b666bc10220, 0x2b666bc100000000}, lptr = {0x2b666bc10220,
>         0x2b666bc100000000}, i6un = {type = 544, subtype = 27585,
>         label = "f+\000\000\000\000\000\000\301kf+"}}, fi_dst = {i6 = {288,
>         4252628318, 2184217380, 1280175939}, in4 = {s_addr = 288}, in6 = {
>         __u6_addr = {__u6_addr8 = " \001\000\000^\365y\375$0\202CïML",
>           __u6_addr16 = {288, 0, 62814, 64889, 33572, 33328, 61251, 19533},
>           __u6_addr32 = {288, 4252628318, 2184217380, 1280175939}}}, vptr = {
>         0xfd79f55e00000120, 0x4c4def4382308324}, lptr = {0xfd79f55e00000120,
>         0x4c4def4382308324}, i6un = {type = 288, subtype = 0,
>         label = "^\365y\375$0\202CïML"}}, fi_secmsk = 0, fi_auth = 0,
>     fi_flx = 537465860, fi_tcpmsk = 0, fi_res1 = 0}, fin_dat = {fid_16 = {259,
>       0}, fid_32 = 259}, fin_out = 1, fin_rev = 0, fin_hlen = 40,
>   fin_tcpf = 0 '\000', fin_icode = 0 '\000', fin_rule = 4294967295,
>   fin_group = "\377", '\000' <repeats 14 times>, fin_fr = 0x0,
>   fin_dp = 0xfffffe802e81806e, fin_dlen = 53244, fin_plen = 53292,
>   fin_ipoff = 0, fin_id = 96, fin_off = 0, fin_depth = 0, fin_error = 51,
>   fin_cksum = 0, fin_pktnum = 0, fin_nattag = 0x0,
>   fin_exthdr = 0xfffffe802e818066, fin_ip = 0xfffffe802e81803e, fin_mp = 0x0,
>   fin_m = 0x0}