NetBSD-Bugs archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
Re: kern/46697
The following reply was made to PR kern/46697; it has been noted by GNATS.
From: 6bone%6bone.informatik.uni-leipzig.de@localhost
To: gnats-bugs%NetBSD.org@localhost
Cc: kern-bug-people%netbsd.org@localhost, gnats-admin%netbsd.org@localhost, netbsd-bugs%netbsd.org@localhost
Subject: Re: kern/46697
Date: Fri, 13 May 2016 07:48:57 +0200 (CEST)
This message is in MIME format. The first part should be readable text,
while the remaining parts are likely unreadable without MIME-aware tools.
--0-1170607802-1463118537=:25929
Content-Type: TEXT/PLAIN; charset=X-UNKNOWN; format=flowed
Content-Transfer-Encoding: QUOTED-PRINTABLE
perhaps it is the same problem as kern/50629? Christos Zoulas wrote a=20
workaround and applied it to netbsd-7
Regards
Uwe
On Fri, 29 Apr 2016, Patrick Welche wrote:
> Date: Fri, 29 Apr 2016 16:20:01 +0000 (UTC)
> From: Patrick Welche <prlw1%cam.ac.uk@localhost>
> Reply-To: gnats-bugs%NetBSD.org@localhost
> To: kern-bug-people%netbsd.org@localhost, gnats-admin%netbsd.org@localhost,
> netbsd-bugs%netbsd.org@localhost, 6bone%6bone.informatik.uni-leipzig.de@localhost
> Subject: Re: kern/46697
>=20
> The following reply was made to PR kern/46697; it has been noted by GNATS=
=2E
>
> From: Patrick Welche <prlw1%cam.ac.uk@localhost>
> To: gnats-bugs%netbsd.org@localhost
> Cc:
> Subject: Re: kern/46697
> Date: Fri, 29 Apr 2016 17:17:28 +0100
>
> FWIW according to your coredump, the problem is at
>
> src/sys/dist/ipf/netinet/fil.c:759
>
> 750 case ICMP6_DST_UNREACH :
> 751 case ICMP6_PACKET_TOO_BIG :
> 752 case ICMP6_TIME_EXCEEDED :
> 753 case ICMP6_PARAM_PROB :
> 754 fin->fin_flx |=3D FI_ICMPERR;
> 755 minicmpsz =3D ICMP6ERR_IPICMPHLEN - sizeo=
f(ip6_t);
> 756 if (fin->fin_plen < ICMP6ERR_IPICMPHLEN)
> 757 break;
> 758
> 759 if (M_LEN(fin->fin_m) < fin->fin_plen) {
> 760 if (fr_coalesce(fin) !=3D 1)
> 761 return;
> 762 }
>
> where fin->fin_m =3D 0x0, so M_LEN(fin->fin_m) dereferences 0.
>
> (gdb) print *fin
> $1 =3D {fin_ifp =3D 0xfffffe803dcca008, fin_fi =3D {fi_v =3D 6, fi_xx =3D=
0, fi_tos =3D 0,
> fi_ttl =3D 126, fi_p =3D 58, fi_optmsk =3D 8, fi_src =3D {i6 =3D {180=
7811104, 11110,
> 0, 728132545}, in4 =3D {s_addr =3D 1807811104}, in6 =3D {__u6_add=
r =3D {
> __u6_addr8 =3D " \002\301kf+\000\000\000\000\000\000\301kf+",
> __u6_addr16 =3D {544, 27585, 11110, 0, 0, 0, 27585, 11110},
> __u6_addr32 =3D {1807811104, 11110, 0, 728132545}}}, vptr =3D {
> 0x2b666bc10220, 0x2b666bc100000000}, lptr =3D {0x2b666bc10220,
> 0x2b666bc100000000}, i6un =3D {type =3D 544, subtype =3D 27585,
> label =3D "f+\000\000\000\000\000\000\301kf+"}}, fi_dst =3D {i6 =
=3D {288,
> 4252628318, 2184217380, 1280175939}, in4 =3D {s_addr =3D 288}, in=
6 =3D {
> __u6_addr =3D {__u6_addr8 =3D " \001\000\000^\365y\375$0\202C=EFM=
L",
> __u6_addr16 =3D {288, 0, 62814, 64889, 33572, 33328, 61251, 195=
33},
> __u6_addr32 =3D {288, 4252628318, 2184217380, 1280175939}}}, vp=
tr =3D {
> 0xfd79f55e00000120, 0x4c4def4382308324}, lptr =3D {0xfd79f55e0000=
0120,
> 0x4c4def4382308324}, i6un =3D {type =3D 288, subtype =3D 0,
> label =3D "^\365y\375$0\202C=EFML"}}, fi_secmsk =3D 0, fi_auth =
=3D 0,
> fi_flx =3D 537465860, fi_tcpmsk =3D 0, fi_res1 =3D 0}, fin_dat =3D {f=
id_16 =3D {259,
> 0}, fid_32 =3D 259}, fin_out =3D 1, fin_rev =3D 0, fin_hlen =3D 40,
> fin_tcpf =3D 0 '\000', fin_icode =3D 0 '\000', fin_rule =3D 4294967295,
> fin_group =3D "\377", '\000' <repeats 14 times>, fin_fr =3D 0x0,
> fin_dp =3D 0xfffffe802e81806e, fin_dlen =3D 53244, fin_plen =3D 53292,
> fin_ipoff =3D 0, fin_id =3D 96, fin_off =3D 0, fin_depth =3D 0, fin_err=
or =3D 51,
> fin_cksum =3D 0, fin_pktnum =3D 0, fin_nattag =3D 0x0,
> fin_exthdr =3D 0xfffffe802e818066, fin_ip =3D 0xfffffe802e81803e, fin_m=
p =3D 0x0,
> fin_m =3D 0x0}
>
>
--0-1170607802-1463118537=:25929--
Home |
Main Index |
Thread Index |
Old Index