kern/43548: raising net.inet.icmp.returndatabytes causes panic

[kefren%netbsd.org@localhost]

>Number:         43548
>Category:       kern
>Synopsis:       raising net.inet.icmp.returndatabytes causes panic
>Confidential:   no
>Severity:       serious
>Priority:       low
>Responsible:    kern-bug-people
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Thu Jul 01 22:20:00 +0000 2010
>Originator:     MC5794-RIPE
>Release:        NetBSD 5.99.33
>Organization:
        
>Environment:
        
        
System: NetBSD kefren.ngnetworks.ro 5.99.33 NetBSD 5.99.33 (Home) #10: Wed Jun 
30 15:15:28 EEST 2010 
kefren%kefren.ngnetworks.ro@localhost:/disk3/work/netbsd-current/src/sys/arch/amd64/compile/obj/Home
 amd64
Architecture: x86_64
Machine: amd64
>Description:
        

        panic: icmp len

        db{0}> bt
        
breakpoint(c06dc506,dc,c38590e4,cb4afc0c,dc,c382f810,cb4afc40,c0468d52,c0aff30b,
        0) at netbsd:breakpoint+0x4
        panic(c0aff30b,0,dc,c3859008,0,0,0,c3869300,c3859000,c386a600) at 
netbsd:panic+0
        x1f3
        icmp_error(c3869300,b,0,0,0,cb4afcf8,cb4afca0,c05d9c4f,0,cb4afc90) at 
netbsd:icm
        p_error+0x422
        ip_forward(c3869300,0,cb9f5004,1,c0c37a80,0,132,c04b6db8,4,14) at 
netbsd:ip_forw
        ard+0x242
        ip_input(c3869300,0,c2a17700,cb4afd10,201a8c0,1,4,c2a17700,2e,cb36ea80) 
at netbs
        d:ip_input+0x7ca
        ipintr(0,10,30,10,10,0,36ed20,cb78b900,0,cb4afda0) at netbsd:ipintr+0x96
        softint_dispatch(cb36ed20,4,0,0,0,0,cb4afd90,cb4afbb8,cb4afc10,0) at 
netbsd:soft
        int_dispatch+0x70

>How-To-Repeat:
        1. sysctl -w net.inet.icmp.returndatabytes=200
        2. make it respond with icmp ttl expired in transit to a large packet - 
using traceroute for example
        3. see it crash
        
>Fix:
        
        Looks like code is broken for M_EXT case, I will try to look over it 
next week if noone fix it until then.

>Unformatted: