netbsd-bugs: kern/28834: hping2 -f can crash the system

Subject: kern/28834: hping2 -f can crash the system
To: None <kern-bug-people@netbsd.org, gnats-admin@netbsd.org,>
From: Miles Nordin <carton@Ivy.NET>
List: netbsd-bugs
Date: 01/01/2005 22:27:00
>Number:         28834
>Category:       kern
>Synopsis:       hping2 -f can crash the system
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    kern-bug-people
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Sat Jan 01 22:27:00 +0000 2005
>Originator:     Miles Nordin
>Release:        NetBSD 2.0_RC5 2004-11-14
>Organization:
Ivy Ministries
>Environment:
System: NetBSD castrovalva 2.0_RC5 NetBSD 2.0_RC5 (CASTROVALVA-$Revision: 1.8 $) #0: Fri Nov 26 19:01:56 EST 2004 carton@castrovalva:/scratch/src/sys/arch/alpha/compile/CASTROVALVA alpha
and
hping-2.0.0.2
Architecture: alpha
Machine: alpha
>Description:
running hping2 as root with -f option (which sends lots of tiny fragments) 
can crash the system.

When crashed, it's unresponsive even to the serial console, not even echoing 
newlines, and although I can enter the debugger, I couldn't kill hping2.  
Each of the following:

kill 0t<hping pid>
kill 0t<hping pid>,9
kill 0t<hping pid>,0t9

followed by 'c', then wait, then enter the debugger again and type 'ps' and 
hping2 was still running.  the wchan for hping2 is empty---here is hping2 
and a few other random processes in ps -aulxww run on the kernel core dump:

USER        PID %CPU %MEM   VSZ RSS TT STAT STARTED    TIME COMMAND  UID   PID PPID CPU PRI NI   VSZ RSS WCHAN    STAT TT    TIME COMMAND
root      19149  0.0  0.0  1312   0 ?? RW+   2:38AM 0:29.00 (hping2    0 19149    0  29  -5  0  1312   0 -        RW+  ?? 0:29.00 (hping2)
root         96  0.0  0.0   160   0 ?? RWs   2Dec04 0:00.00 /usr/sb    0    96    0   0   2  0   160   0 -        RWs  ?? 0:00.00 /usr/sbin/rtadvd tlp0 tlp1 
root        107  0.0  0.0  1384   0 ?? RW    2Dec04 0:00.00 (ntpd)     0   107    0   0  18  0  1384   0 pause    RW   ?? 0:00.00 (ntpd)
root        231  0.0  0.0   256   0 ?? RWs   2Dec04 0:00.00 (inetd)    0   231    0   0   2  0   256   0 kqread   RWs  ?? 0:00.00 (inetd)
root        291  0.0  0.0   280   0 ?? RWs   2Dec04 0:00.00 (master    0   291    0   0   2  0   280   0 -        RWs  ?? 0:00.00 (master)
root        311  0.0  0.0    88   0 ?? RWL   2Dec04 0:24.00 (nfsd)     0   311    0  24   2  0    88   0 nfsd     RWL  ?? 0:24.00 (nfsd)
quagga      347  0.0  0.0   784   0 ?? RWNs  2Dec04 0:00.00 /usr/pk 1006   347    0   0   2  4   784   0 -        RWNs ?? 0:00.00 /usr/pkg/sbin/zebra -P 0 -d 
root        354  0.0  0.0   288   0 ?? RWs   2Dec04 0:00.00 (cron)     0   354    0   0  10  0   288   0 -        RWs  ?? 0:00.00 (cron)
root        378  0.0  0.0   256   0 ?? RWs   2Dec04 0:00.00 (syslog    0   378    0   0   2  0   256   0 -        RWs  ?? 0:00.00 (syslogd)
root        400  0.0  0.0   240   0 ?? RWs   2Dec04 0:00.00 (mount_    0   400    0   0  10  0   240   0 -        RWs  ?? 0:00.00 (mount_mfs)
root        403  0.0  0.0  1192   0 ?? RWs   2Dec04 0:00.00 (ipmon)    0   403    0   0  10  0  1192   0 -        RWs  ?? 0:00.00 (ipmon)
named       431  0.0  0.0  6256   0 ?? RWsa  2Dec04 0:00.00 (named)   14   431    0   0  18  0  6256   0 sigwait  RWsa ?? 0:00.00 (named)

>How-To-Repeat:
sudo hping2 -f -p 113 -i u10 -d 1000 <ip of some remote host>

the machine running hping crashes.  Without '-f' it does not crash.

savecore dump and netbsd.gdb available.

>Fix:
unknown