Re: CARP node crashing reproducibly (4.3-stable)

Previous message: [thread] [date] [author]
Next message: [thread] [date] [author]

From: Henning Brauer <lists-openbsd@...>

To: Adrian M. Whatley <amw@...>

Cc: <lists-openbsd@...>, Stephan A. Rickauer <stephan.rickauer@...>, misc <misc@...>, <reyk@...>

Subject: Re: CARP node crashing reproducibly (4.3-stable)

Date: Monday, July 14, 2008 - 8:22 am

* Adrian M. Whatley  [2008-07-14 13:54]:

quoted text> It's a NULL pointer bug!
> which is from line 1726 in pf_send_icmp() in pf.c:

quoted text>

> 	m0->m_pkthdr.pf.flags |= PF_TAG_GENERATED;
> Looking at m_copym0, it looks like it can legitimately fail and return

quoted text> NULL (it even increments a global variable MCFail when it does so) and

> therefore the bug is that its return value is not being checked in

> pf_send_icmp.
perfect analysis!
looks like the only sane thing to do in that case is to bail and not

send the icmp.
Index: pf.c

===================================================================

RCS file: /cvs/src/sys/net/pf.c,v

retrieving revision 1.609

diff -u -p -r1.609 pf.c

--- pf.c	10 Jul 2008 07:41:21 -0000	1.609

+++ pf.c	14 Jul 2008 12:20:27 -0000

@@ -1819,7 +1819,9 @@ pf_send_icmp(struct mbuf *m, u_int8_t ty

 {

 	struct mbuf	*m0;
-	m0 = m_copy(m, 0, M_COPYALL);

+	if ((m0 = m_copy(m, 0, M_COPYALL)) == NULL)

+		return;

+

 	m0->m_pkthdr.pf.flags |= PF_TAG_GENERATED;
 	if (r->rtableid >= 0)
--

Henning Brauer, hb@bsws.de, henning@openbsd.org

BS Web Services, http://bsws.de

Full-Service ISP - Secure Hosting, Mail and DNS Services

Dedicated Servers, Rootservers, Application Hosting - Hamburg & Amsterdam

Previous message: [thread] [date] [author]
Next message: [thread] [date] [author]

Messages in current thread:

CARP node crashing reproducibly (4.3-stable), Stephan A. Rickauer, (Fri Jul 11, 10:55 am)

Re: CARP node crashing reproducibly (4.3-stable), Henning Brauer, (Fri Jul 11, 3:32 pm)

Re: CARP node crashing reproducibly (4.3-stable), Adrian M. Whatley, (Mon Jul 14, 6:38 am)

Re: CARP node crashing reproducibly (4.3-stable), Henning Brauer, (Mon Jul 14, 8:22 am)

Re: CARP node crashing reproducibly (4.3-stable), Stephan A. Rickauer, (Mon Jul 14, 11:12 am)

Re: CARP node crashing reproducibly (4.3-stable), Henning Brauer, (Mon Jul 14, 11:38 am)

Re: CARP node crashing reproducibly (4.3-stable), Stephan A. Rickauer, (Wed Jul 23, 2:44 pm)

Re: CARP node crashing reproducibly (4.3-stable), Stephan A. Rickauer, (Fri Jul 11, 3:47 pm)

Re: CARP node crashing reproducibly (4.3-stable), Reyk Floeter, (Fri Jul 11, 11:09 am)

Re: CARP node crashing reproducibly (4.3-stable), Stephan A. Rickauer, (Fri Jul 11, 11:25 am)

Re: CARP node crashing reproducibly (4.3-stable), Giancarlo Razzolini, (Fri Jul 11, 2:42 pm)


linux-kernel:
debian developer	Re: Dual-Licensing Linux Kernel with GPL V2 and GPL V3
Eric W. Biederman	[PATCH 02/10] sysfs: Support for preventing unmounts.
Greg KH	[GIT PATCH] driver core patches against 2.6.24
Linus Torvalds	Re: LSM conversion to static interface
git:

openbsd-misc:

linux-netdev:
Antonio Almeida	HTB accuracy for high speed
David Miller	Re: [PATCH] pkt_sched: Destroy gen estimators under rtnl_lock().
Gerrit Renker	[PATCH 18/37] dccp: Support for Mandatory options
Timo Teräs	Re: xfrm_state locking regression...

Re: CARP node crashing reproducibly (4.3-stable)

Online users