NetBSD-Bugs archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

Re: kern/46697

The following reply was made to PR kern/46697; it has been noted by GNATS.

From: Patrick Welche <prlw1%cam.ac.uk@localhost>
To: gnats-bugs%netbsd.org@localhost
Cc: 
Subject: Re: kern/46697
Date: Fri, 29 Apr 2016 17:17:28 +0100

 FWIW according to your coredump, the problem is at
 
 src/sys/dist/ipf/netinet/fil.c:759
 
    750                  case ICMP6_DST_UNREACH :
    751                  case ICMP6_PACKET_TOO_BIG :
    752                  case ICMP6_TIME_EXCEEDED :
    753                  case ICMP6_PARAM_PROB :
    754                          fin->fin_flx |= FI_ICMPERR;
    755                          minicmpsz = ICMP6ERR_IPICMPHLEN - sizeof(ip6_t);
    756                          if (fin->fin_plen < ICMP6ERR_IPICMPHLEN)
    757                                  break;
    758  
    759                          if (M_LEN(fin->fin_m) < fin->fin_plen) {
    760                                  if (fr_coalesce(fin) != 1)
    761                                          return;
    762                          }
 
 where fin->fin_m = 0x0, so M_LEN(fin->fin_m) dereferences 0.
 
 (gdb) print *fin
 $1 = {fin_ifp = 0xfffffe803dcca008, fin_fi = {fi_v = 6, fi_xx = 0, fi_tos = 0, 
     fi_ttl = 126, fi_p = 58, fi_optmsk = 8, fi_src = {i6 = {1807811104, 11110, 
         0, 728132545}, in4 = {s_addr = 1807811104}, in6 = {__u6_addr = {
           __u6_addr8 = " \002\301kf+\000\000\000\000\000\000\301kf+", 
           __u6_addr16 = {544, 27585, 11110, 0, 0, 0, 27585, 11110}, 
           __u6_addr32 = {1807811104, 11110, 0, 728132545}}}, vptr = {
         0x2b666bc10220, 0x2b666bc100000000}, lptr = {0x2b666bc10220, 
         0x2b666bc100000000}, i6un = {type = 544, subtype = 27585, 
         label = "f+\000\000\000\000\000\000\301kf+"}}, fi_dst = {i6 = {288, 
         4252628318, 2184217380, 1280175939}, in4 = {s_addr = 288}, in6 = {
         __u6_addr = {__u6_addr8 = " \001\000\000^\365y\375$0\202CïML", 
           __u6_addr16 = {288, 0, 62814, 64889, 33572, 33328, 61251, 19533}, 
           __u6_addr32 = {288, 4252628318, 2184217380, 1280175939}}}, vptr = {
         0xfd79f55e00000120, 0x4c4def4382308324}, lptr = {0xfd79f55e00000120, 
         0x4c4def4382308324}, i6un = {type = 288, subtype = 0, 
         label = "^\365y\375$0\202CïML"}}, fi_secmsk = 0, fi_auth = 0, 
     fi_flx = 537465860, fi_tcpmsk = 0, fi_res1 = 0}, fin_dat = {fid_16 = {259, 
       0}, fid_32 = 259}, fin_out = 1, fin_rev = 0, fin_hlen = 40, 
   fin_tcpf = 0 '\000', fin_icode = 0 '\000', fin_rule = 4294967295, 
   fin_group = "\377", '\000' <repeats 14 times>, fin_fr = 0x0, 
   fin_dp = 0xfffffe802e81806e, fin_dlen = 53244, fin_plen = 53292, 
   fin_ipoff = 0, fin_id = 96, fin_off = 0, fin_depth = 0, fin_error = 51, 
   fin_cksum = 0, fin_pktnum = 0, fin_nattag = 0x0, 
   fin_exthdr = 0xfffffe802e818066, fin_ip = 0xfffffe802e81803e, fin_mp = 0x0, 
   fin_m = 0x0}
Home | Main Index | Thread Index | Old Index