kern/44742: Remotely triggerable ECN panic in tcp_output() on current

[jailbird%fdf.net@localhost]

>Number:         44742
>Category:       kern
>Synopsis:       When ECN is enabled, panics can be remotely triggered
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    kern-bug-people
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Sat Mar 19 04:25:00 +0000 2011
>Originator:     Dustin Marquess
>Release:        NetBSD 5.99.48 (also effects at least 5.99.47)
>Organization:
>Environment:
System: NetBSD bobdole.fdf.net 5.99.48 NetBSD 5.99.48 (BOBDOLE) #0: Sat Mar 19 
03:18:47 UTC 2011 
root%bobdole.fdf.net@localhost:/usr/src/sys/arch/amd64/compile/BOBDOLE amd64
Architecture: x86_64
Machine: amd64
>Description:
login: uvm_fault(0xffff80004d5b1018, 0x0, 2) -> e
fatal page fault in supervisor mode
trap type 6 code 2 rip ffffffff80358f4c cs 8 rflags 10246 cr2  91 cpl 4 rsp fff0
kernel: page fault trap, code=0
Stopped in pid 71.1 (ftpd) at   netbsd:tcp_output+0x1aef:       orb     $0x2,0x9
1(%rax)
db{1}> trace
tcp_output() at netbsd:tcp_output+0x1aef
tcp_usrreq() at netbsd:tcp_usrreq+0x179
tcp_usrreq_wrapper() at netbsd:tcp_usrreq_wrapper+-0x351b
sosend() at netbsd:sosend+0x497
soo_write() at netbsd:soo_write+0x2d
dofilewrite() at netbsd:dofilewrite+0x76
sys_write() at netbsd:sys_write+0x6e
syscall() at netbsd:syscall+0xaa

(gdb) info line *(tcp_output+0x1aef)
Line 1350 of "../../../../netinet/tcp_output.c"
   starts at address 0xffffffff80358f45 <tcp_output+6888>
      and ends at 0xffffffff80358f58 <tcp_output+6907>.

tcp_output.c:1350 is:
                                tp->t_inpcb->inp_ip.ip_tos |= IPTOS_ECN_ECT0;

>How-To-Repeat:
        Connect from an ECN capable host (in this case, Windows 7 x86 using
        FlashFXP).
>Fix:
        Disabling ECN stops the panic:
        sysctl -w net.inet.tcp.ecn.enable=0
        sysctl -w net.inet6.tcp6.ecn.enable=0

>Unformatted:
        sys/netinet/tcp_output.c 1.169