Re: Panic in nat_inlookup (trough ip6_input)

To: tech-net%netbsd.org@localhost
Subject: Re: Panic in nat_inlookup (trough ip6_input)
From: Edgar Fuß <ef%math.uni-bonn.de@localhost>
Date: Tue, 8 May 2018 15:36:28 +0200

Thanks for digging out the patches.

CZ> Yes, there are fragment bugs fixed in later versions that have not been
CZ> pulled up to -6 :-(
EF> Any hint what these fixes are so I could pull-up them privately?
CZ> I would probably do these first :-)

CZ> Index: fil.c
CZ> ===================================================================
CZ> RCS file: /cvsroot/src/sys/external/bsd/ipf/netinet/fil.c,v
CZ> retrieving revision 1.15.2.3
CZ> retrieving revision 1.22
I don't have the #if 0's this diff removes.

I can't retrofit ipf_rule_compare() because I don't have fr_size.

The missing if's {} apply.

Index: fil.c
===================================================================
RCS file: /cvsroot/src/sys/dist/ipf/netinet/Attic/fil.c,v
retrieving revision 1.53.2.1
diff -u -p -r1.53.2.1 fil.c
--- fil.c	14 Mar 2013 22:33:15 -0000	1.53.2.1
+++ fil.c	8 May 2018 13:23:39 -0000
@@ -4420,11 +4420,12 @@ exit_free:
 			error = fr_outobj(data, fp, IPFOBJ_FRENTRY);
 
 			if (error == 0) {
-				if ((f->fr_dsize != 0) && (uptr != NULL))
+				if ((f->fr_dsize != 0) && (uptr != NULL)) {
 					error = COPYOUT(f->fr_data, uptr,
 							f->fr_dsize);
 					if (error != 0)
 						error = EFAULT;
+				}
 				if (error == 0) {
 					f->fr_hits = 0;
 					f->fr_bytes = 0;

CZ> RCS file: /cvsroot/src/sys/external/bsd/ipf/netinet/ip_fil_compat.c,v
CZ> retrieving revision 1.4
CZ> retrieving revision 1.5
This error is in new compat code I definitely don't have.

CZ> RCS file: /cvsroot/src/sys/external/bsd/ipf/netinet/ip_frag.c,v
CZ> retrieving revision 1.3.14.1
CZ> retrieving revision 1.5
Both the #if 0 and the spelling check apply.

Index: ip_frag.c
===================================================================
RCS file: /cvsroot/src/sys/dist/ipf/netinet/Attic/ip_frag.c,v
retrieving revision 1.13
diff -u -p -r1.13 ip_frag.c
--- ip_frag.c	15 Feb 2012 17:55:22 -0000	1.13
+++ ip_frag.c	8 May 2018 13:08:07 -0000
@@ -540,6 +540,8 @@ fr_fraglookup(fr_info_t *fin, ipfr_t *ta
 			} else if (off == 0)
 				f->ipfr_seen0 = 1;
 
+#if 0
+			/* We can't do this, since we only have a read lock! */
 			if (f != table[idx]) {
 				ipfr_t **fp;
 
@@ -559,9 +561,10 @@ fr_fraglookup(fr_info_t *fin, ipfr_t *ta
 				f->ipfr_hprev = table + idx;
 				table[idx] = f;
 			}
+#endif
 
 			/*
-			 * If we've follwed the fragments, and this is the
+			 * If we've followed the fragments, and this is the
 			 * last (in order), shrink expiration time.
 			 */
 			if (off == f->ipfr_off) {

CZ> RCS file: /cvsroot/src/sys/external/bsd/ipf/netinet/radix_ipf.c,v
CZ> retrieving revision 1.5
CZ> retrieving revision 1.6
I don't have anything remotely similar to the random_{add,delete} routines 
touched here.

References:
- Panic in nat_inlookup (trough ip6_input)
  - From: Edgar Fuß
- Re: Panic in nat_inlookup (trough ip6_input)
  - From: Christos Zoulas
- Re: Panic in nat_inlookup (trough ip6_input)
  - From: Edgar Fuß
- Re: Panic in nat_inlookup (trough ip6_input)
  - From: Christos Zoulas

Prev by Date: Re: bwfm(4) PCI support
Next by Date: MPSAFE and KERNEL_LOCK
Previous by Thread: Re: Panic in nat_inlookup (trough ip6_input)
Next by Thread: IPv6 test failures
Indexes:

Home | Main Index | Thread Index | Old Index