Date: Sun, 15 Apr 2012 11:10:03 GMT From: Gleb Smirnoff <glebius@FreeBSD.org> To: freebsd-pf@FreeBSD.org Subject: kern/164402: [pf] pf crashes with a particular set of rules when first matching packet arrives Message-ID: <201204151110.q3FBA3Fr034331@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
The following reply was made to PR kern/164402; it has been noted by GNATS.
From: Gleb Smirnoff <glebius@FreeBSD.org>
To: "Eugene M. Zheganin" <eugene@zhegan.in>
Cc: bug-followup@FreeBSD.org
Subject: kern/164402: [pf] pf crashes with a particular set of rules when
first matching packet arrives
Date: Sun, 15 Apr 2012 15:07:56 +0400
Hi,
I have a vague suspicion on what is happening. Your description of
the problem looks like if a packet processing in the kernel has entered
an endless loop.
Looking at pf_route() I see such possibility. From OpenBSD we have
this protection against endless looping:
if ((*m)->m_pkthdr.pf.routed++ > 3) {
m0 = *m;
*m = NULL;
goto bad;
}
In our code this transforms to:
if (pd->pf_mtag->routed++ > 3) {
m0 = *m;
*m = NULL;
goto bad;
}
The root difference between storing the tag on mbuf and on pfdesc
is that we lose pfdesc, and thus the tag, when we enter pf_test()
recursively. And pf_route() does this recursion:
if (oifp != ifp) {
if (pf_test(PF_OUT, ifp, &m0, NULL) != PF_PASS) {
goto bad;
....
--
Totus tuus, Glebius.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201204151110.q3FBA3Fr034331>