On Mon, May 07, 2007 at 11:34:37AM +0200, 6bone@6bone.informatik.uni-leipzig.de wrote:
> hello,
> 
> now I can offer a complete trace with a matching netbsd.gdb
> 
> http://139.18.25.35/dump1.jpg
> http://139.18.25.35/netbsd.gdb

So. fr_checkicmp6matchingstate+0x95 is line 3479 of
src/sys/dist/ipf/netinet/ip_state.c , which, assuming you have rev.
1.5.2.1.4.1 of this file, is

	savelen = oip6->ip6_plen;

and oip6 originates several lines above:

	oip6 = (ip6_t *)((char *)ic6 + ICMPERR_ICMPHLEN);

it is not at all clear how this pointer arithmetics is supposed to
work... though there is some attempt in other parts of the code to
ensure the data is valid (call to fr_coalesce in frpr_icmp6)

btw here is the line information for the trace:

(gdb) info line *(fr_checkicmp6matchingstate+0x95)
Line 3479 of "/usr/src/sys/dist/ipf/netinet/ip_state.c"
   starts at address 0xc0169ea9 <fr_checkicmp6matchingstate+149>
   and ends at 0xc0169ead <fr_checkicmp6matchingstate+153>.
(gdb) info line *(fr_stlookup+0x2c4)
Line 2269 of "/usr/src/sys/dist/ipf/netinet/ip_state.c"
   starts at address 0xc0168bf8 <fr_stlookup+708>
   and ends at 0xc0168bfd <fr_stlookup+713>.
(gdb) info line *(fr_checkstate+0x21f)
Line 2482 of "/usr/src/sys/dist/ipf/netinet/ip_state.c"
   starts at address 0xc01690ef <fr_checkstate+531>
   and ends at 0xc0169108 <fr_checkstate+556>.
(gdb) info line *(fr_check+0x4bd)
Line 2369 of "/usr/src/sys/dist/ipf/netinet/fil.c"
   starts at address 0xc014bd07 <fr_check+1203>
   and ends at 0xc014bd1f <fr_check+1227>.

Pavel