Date: Thu, 25 Sep 2014 09:18:08 +0400 From: Gleb Smirnoff <glebius@FreeBSD.org> To: Adrian Chadd <adrian@freebsd.org> Cc: "svn-src-head@freebsd.org" <svn-src-head@freebsd.org>, Sean Bruno <sbruno@freebsd.org>, "src-committers@freebsd.org" <src-committers@freebsd.org>, "svn-src-all@freebsd.org" <svn-src-all@freebsd.org> Subject: Re: svn commit: r272089 - head/sys/netpfil/ipfw Message-ID: <20140925051808.GS884@FreeBSD.org> In-Reply-To: <CAJ-VmomsRHxiUtDw8FpP=ZGcE136dBLpDyzcpnRVbVFyk0Jmnw@mail.gmail.com> References: <201409250226.s8P2Q6AS055635@svn.freebsd.org> <CAJ-VmomsRHxiUtDw8FpP=ZGcE136dBLpDyzcpnRVbVFyk0Jmnw@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Wed, Sep 24, 2014 at 07:40:23PM -0700, Adrian Chadd wrote: A> Hm, I saw this from Kate on IRC. Did anyone figure out _where_ these A> frames are coming from? A> A> Just dropping them is cool, but I'd really like to see the contents of A> the frames and what their origin is. A> A> I'm worried that they're valid stack-generated frames.. I agree on this. Fixing NULL pointer derefs with NULL check is not always a right thing to do. A> -a A> A> A> On 24 September 2014 19:26, Sean Bruno <sbruno@freebsd.org> wrote: A> > Author: sbruno A> > Date: Thu Sep 25 02:26:05 2014 A> > New Revision: 272089 A> > URL: http://svnweb.freebsd.org/changeset/base/272089 A> > A> > Log: A> > Fix NULL pointer deref in ipfw when using dummynet at layer 2. A> > Drop packet if pkg->ifp is NULL, which is the case here. A> > A> > ref. https://github.com/HardenedBSD/hardenedBSD A> > commit 4eef3881c64f6e3aa38eebbeaf27a947a5d47dd7 A> > A> > PR 193861 -- DUMMYNET LAYER2: kernel panic A> > A> > in this case a kernel panic occurs. Hence, when we do not get an interface, A> > we just drop the packet in question. A> > A> > PR: 193681 A> > Submitted by: David Carlier <david.carlier@hardenedbsd.org> A> > Obtained from: Hardened BSD A> > MFC after: 2 weeks A> > Relnotes: yes A> > A> > Modified: A> > head/sys/netpfil/ipfw/ip_dn_io.c A> > A> > Modified: head/sys/netpfil/ipfw/ip_dn_io.c A> > ============================================================================== A> > --- head/sys/netpfil/ipfw/ip_dn_io.c Wed Sep 24 22:58:10 2014 (r272088) A> > +++ head/sys/netpfil/ipfw/ip_dn_io.c Thu Sep 25 02:26:05 2014 (r272089) A> > @@ -751,10 +751,15 @@ dummynet_send(struct mbuf *m) A> > /* extract the dummynet info, rename the tag A> > * to carry reinject info. A> > */ A> > - dst = pkt->dn_dir; A> > - ifp = pkt->ifp; A> > - tag->m_tag_cookie = MTAG_IPFW_RULE; A> > - tag->m_tag_id = 0; A> > + if (pkt->dn_dir == (DIR_OUT | PROTO_LAYER2) && A> > + pkt->ifp == NULL) { A> > + dst = DIR_DROP; A> > + } else { A> > + dst = pkt->dn_dir; A> > + ifp = pkt->ifp; A> > + tag->m_tag_cookie = MTAG_IPFW_RULE; A> > + tag->m_tag_id = 0; A> > + } A> > } A> > A> > switch (dst) { A> > A> -- Totus tuus, Glebius.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20140925051808.GS884>