Subject: kern/15996: BUGTRAQ patch at tcp_input.c:2253 considered incomplete at best
To: None <gnats-bugs@gnats.netbsd.org>
From: Frank Kardel <kardel@acm.org>
List: netbsd-bugs
Date: 03/21/2002 21:59:25
>Number: 15996
>Category: kern
>Synopsis: Bugtraq Patch leads to kernel panic at tcp_input.c(1.137):2253
>Confidential: no
>Severity: critical
>Priority: high
>Responsible: kern-bug-people
>State: open
>Class: sw-bug
>Submitter-Id: net
>Arrival-Date: Thu Mar 21 13:00:00 PST 2002
>Closed-Date:
>Last-Modified:
>Originator: Frank Kardel
>Release: NetBSD 1.5ZC (current-20020321)
>Organization:
>Environment:
System: NetBSD pip 1.5ZC NetBSD 1.5ZC (PIP) #0: Thu Mar 21 xx:xx:xx MET 2002 kardel@pip:/tmp/src/sys/arch/i386/compile/PIP i386
Architecture: i386
Machine: i386
>Description:
In an IPv6 environment the kernel crashes at tcp_input.c(1.137):2253
as the ip pointer is not initialized (and can certainly NOT reference
an IPv4 address!). Thus the patch seems to be in a code path not
suited for it.
typical callstack
panic at tcp_input+0x2c7c
tcp6_input
ip6_input
ip6_intr
Xsoftnet
>How-To-Repeat:
run kernel with IPv6 activity and wait until it attempts to drop
a connection with RST -> BOOM!
>Fix:
Thorough code review ... and then a correct patch ?
>Release-Note:
>Audit-Trail:
>Unformatted: