Subject: kern/11922: "Data modified on freelist" during fragmented ICMP flood
To: None <gnats-bugs@gnats.netbsd.org>
From: S.P.Zeidler <spz@serpens.de>
List: netbsd-bugs
Date: 01/09/2001 14:23:13
>Number: 11922
>Category: kern
>Synopsis: Data modified on freelist
>Confidential: no
>Severity: serious
>Priority: medium
>Responsible: kern-bug-people
>State: open
>Class: sw-bug
>Submitter-Id: net
>Arrival-Date: Tue Jan 09 14:23:00 PST 2001
>Closed-Date:
>Last-Modified:
>Originator: S.P.Zeidler
>Release: 1.5
>Organization:
spz@serpens.de (S.P.Zeidler)
>Environment:
Amiga3000/040, 1.5
System: NetBSD serpens.de 1.5 NetBSD 1.5 (SERPENS) #0: Sun Dec 17 01:59:30 MET 2000 spz@serpens.de:/data/15src/sys/arch/amiga/compile/SERPENS amiga
>Description:
while being pingflooded with fragmented (?) packets a load of Data
modified in freelist messages populated the Console
sample ipf.log:
Jan 9 22:19:16 serpens ipmon[128]: 22:18:17.513403 1565x le0 @100:9 p 193.6.61.179 -> 194.120.0.2 PR icmp len 20 (29) frag 9@65520 IN
Jan 9 22:19:16 serpens ipmon[128]: 22:18:18.507265 1552x le0 @100:9 p 193.6.61.179 -> 194.120.0.2 PR icmp len 20 (29) frag 9@65520 IN
Jan 9 22:19:16 serpens ipmon[128]: 22:18:19.507278 1593x le0 @100:9 p 193.6.61.179 -> 194.120.0.2 PR icmp len 20 (29) frag 9@65520 IN
Jan 9 22:19:16 serpens ipmon[128]: 22:18:20.506903 1521x le0 @100:9 p 193.6.61.179 -> 194.120.0.2 PR icmp len 20 (29) frag 9@65520 IN
Jan 9 22:19:17 serpens ipmon[128]: 22:18:21.508674 1573x le0 @100:9 p 193.6.61.179 -> 194.120.0.2 PR icmp len 20 (29) frag 9@65520 IN
Jan 9 22:19:17 serpens ipmon[128]: 22:18:22.496671 1610x le0 @100:9 p 193.6.61.179 -> 194.120.0.2 PR icmp len 20 (29) frag 9@65520 IN
Jan 9 22:19:17 serpens ipmon[128]: 22:18:23.506479 1604x le0 @100:9 p 193.6.61.179 -> 194.120.0.2 PR icmp len 20 (29) frag 9@65520 IN
Jan 9 22:19:17 serpens ipmon[128]: 22:18:24.506545 1606x le0 @100:9 p 193.6.61.179 -> 194.120.0.2 PR icmp len 20 (29) frag 9@65520 IN
Jan 9 22:19:17 serpens ipmon[128]: 22:18:25.506620 1585x le0 @100:9 p 193.6.61.179 -> 194.120.0.2 PR icmp len 20 (29) frag 9@65520 IN
Jan 9 22:19:17 serpens ipmon[128]: 22:18:26.506596 1598x le0 @100:9 p 193.6.61.179 -> 194.120.0.2 PR icmp len 20 (29) frag 9@65520 IN
Jan 9 22:19:17 serpens ipmon[128]: 22:18:27.506307 1602x le0 @100:9 p 193.6.61.179 -> 194.120.0.2 PR icmp len 20 (29) frag 9@65520 IN
Jan 9 22:19:17 serpens ipmon[128]: 22:18:28.505769 1606x le0 @100:9 p 193.6.61.179 -> 194.120.0.2 PR icmp len 20 (29) frag 9@65520 IN
Jan 9 22:19:17 serpens ipmon[128]: 22:18:29.506111 1603x le0 @100:9 p 193.6.61.179 -> 194.120.0.2 PR icmp len 20 (29) frag 9@65520 IN
Jan 9 22:19:17 serpens ipmon[128]: 22:18:30.506059 1590x le0 @100:9 p 193.6.61.179 -> 194.120.0.2 PR icmp len 20 (29) frag 9@65520 IN
Jan 9 22:19:17 serpens ipmon[128]: 22:18:31.506339 1603x le0 @100:9 p 193.6.61.179 -> 194.120.0.2 PR icmp len 20 (29) frag 9@65520 IN
Jan 9 22:19:19 serpens ipmon[128]: 22:18:40.504921 1534x le0 @100:9 p 193.6.61.179 -> 194.120.0.2 PR icmp len 20 (29) frag 9@65520 IN
Jan 9 22:19:19 serpens ipmon[128]: 22:18:41.509104 1605x le0 @100:9 p 193.6.61.179 -> 194.120.0.2 PR icmp len 20 (29) frag 9@65520 IN
Jan 9 22:19:20 serpens ipmon[128]: 22:19:01.492747 1620x le0 @100:9 p 193.6.61.179 -> 194.120.0.2 PR icmp len 20 (29) frag 9@65520 IN
Jan 9 22:19:20 serpens ipmon[128]: 22:19:04.502309 1574x le0 @100:9 p 193.6.61.179 -> 194.120.0.2 PR icmp len 20 (29) frag 9@65520 IN
Jan 9 22:19:21 serpens ipmon[128]: 22:19:05.502048 1605x le0 @100:9 p 193.6.61.179 -> 194.120.0.2 PR icmp len 20 (29) frag 9@65520 IN
sample console output:
Data modified on freelist: word 1 of object 0x4a4e80 size 80 previous type temp (0xdeadbef1 != 0xdeadbeef)
Data modified on freelist: word 1 of object 0x4a4900 size 80 previous type temp (0xdeadbef1 != 0xdeadbeef)
Data modified on freelist: word 1 of object 0x4a4200 size 80 previous type temp (0xdeadbef0 != 0xdeadbeef)
Data modified on freelist: word 1 of object 0x3d3b00 size 68 previous type temp (0xdeadbef0 != 0xdeadbeef)
Data modified on freelist: word 1 of object 0x4a5f80 size 68 previous type temp (0xdeadbef0 != 0xdeadbeef)
Data modified on freelist: word 1 of object 0x4a5380 size 80 previous type temp (0xdeadbef0 != 0xdeadbeef)
Data modified on freelist: word 1 of object 0x491500 size 80 previous type temp (0xdeadbef0 != 0xdeadbeef)
Data modified on freelist: word 1 of object 0x4a5400 size 80 previous type temp (0xdeadbef0 != 0xdeadbeef)
Data modified on freelist: word 1 of object 0x3c8100 size 80 previous type temp (0xdeadbef0 != 0xdeadbeef)
Data modified on freelist: word 1 of object 0x3d3900 size 80 previous type temp (0xdeadbef0 != 0xdeadbeef)
Data modified on freelist: word 1 of object 0x45a600 size 68 previous type temp (0xdeadbef0 != 0xdeadbeef)
Data modified on freelist: word 1 of object 0x4a4e00 size 108 previous type temp (0xdeadbef0 != 0xdeadbeef)
Data modified on freelist: word 1 of object 0x447000 size 68 previous type temp (0xdeadbef0 != 0xdeadbeef)
Data modified on freelist: word 1 of object 0x4a5700 size 68 previous type temp (0xdeadbef2 != 0xdeadbeef)
Data modified on freelist: word 1 of object 0x490600 size 107 previous type temp (0xdeadbef0 != 0xdeadbeef)
Data modified on freelist: word 1 of object 0x491200 size 68 previous type temp (0xdeadbef0 != 0xdeadbeef)
Data modified on freelist: word 1 of object 0x4a4200 size 68 previous type temp (0xdeadbef3 != 0xdeadbeef)
Data modified on freelist: word 1 of object 0x3d3a00 size 68 previous type temp (0xdeadbef0 != 0xdeadbeef)
Data modified on freelist: word 1 of object 0x45bf80 size 80 previous type temp (0xdeadbef0 != 0xdeadbeef)
Data modified on freelist: word 1 of object 0x447900 size 108 previous type temp (0xdeadbef0 != 0xdeadbeef)
There's been a lot more lines in both categories, I took the last 20 of
both hoping to get some causal overlap.
>How-To-Repeat:
I'd rather not.
>Fix:
no idea, sorry
>Release-Note:
>Audit-Trail:
>Unformatted: