From owner-svn-src-head@FreeBSD.ORG Thu Sep 25 02:40:26 2014 Return-Path: Delivered-To: svn-src-head@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 9965E1A4; Thu, 25 Sep 2014 02:40:26 +0000 (UTC) Received: from mail-wg0-x234.google.com (mail-wg0-x234.google.com [IPv6:2a00:1450:400c:c00::234]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id BCE4CF97; Thu, 25 Sep 2014 02:40:25 +0000 (UTC) Received: by mail-wg0-f52.google.com with SMTP id n12so5344933wgh.11 for ; Wed, 24 Sep 2014 19:40:24 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:sender:in-reply-to:references:date:message-id:subject :from:to:cc:content-type; bh=VlCRwntCZvxDglG8D3QUqMvnREc7Z36ldIWBZUmHHtQ=; b=fL3lrxoDbfAl07fJBkOHqCo4C7qmllNcAzVuBkz+Ix9RdhjMuzlXX+LMpfF/tAsFX0 JFlXzSf2k/xvotc9amG973SRPqCzhn2gE6Xzar5SepId9mO1sGUuSNI06Pkkg5Rhr+Og 5pvK7QkTe65gfhP6qb5n5xoMtIk+B7Q9CKyEUuiAB+eQ3H2mZoM34j9Ls5lpECqwSitz GUgZf5UIsO93qNunJ+lZGhIgFlgfcipLcAqoJ/GKsdPfmGvnNeHHZ7GhVy5FWG5/pYDg Qr8ZTMRV8Pa+DzKNm/Q5yEVNxs8xY/6Zw7v4snw6B/e3dcVxNb3Qnv9PqXVbOBh+NEaD OCZQ== MIME-Version: 1.0 X-Received: by 10.194.94.196 with SMTP id de4mr12756683wjb.86.1411612824003; Wed, 24 Sep 2014 19:40:24 -0700 (PDT) Sender: adrian.chadd@gmail.com Received: by 10.216.106.136 with HTTP; Wed, 24 Sep 2014 19:40:23 -0700 (PDT) In-Reply-To: <201409250226.s8P2Q6AS055635@svn.freebsd.org> References: <201409250226.s8P2Q6AS055635@svn.freebsd.org> Date: Wed, 24 Sep 2014 19:40:23 -0700 X-Google-Sender-Auth: ekaX7D3PRAPfEd5S0vmGrrbknis Message-ID: Subject: Re: svn commit: r272089 - head/sys/netpfil/ipfw From: Adrian Chadd To: Sean Bruno Content-Type: text/plain; charset=UTF-8 Cc: "svn-src-head@freebsd.org" , "svn-src-all@freebsd.org" , "src-committers@freebsd.org" X-BeenThere: svn-src-head@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: SVN commit messages for the src tree for head/-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 25 Sep 2014 02:40:26 -0000 Hm, I saw this from Kate on IRC. Did anyone figure out _where_ these frames are coming from? Just dropping them is cool, but I'd really like to see the contents of the frames and what their origin is. I'm worried that they're valid stack-generated frames.. -a On 24 September 2014 19:26, Sean Bruno wrote: > Author: sbruno > Date: Thu Sep 25 02:26:05 2014 > New Revision: 272089 > URL: http://svnweb.freebsd.org/changeset/base/272089 > > Log: > Fix NULL pointer deref in ipfw when using dummynet at layer 2. > Drop packet if pkg->ifp is NULL, which is the case here. > > ref. https://github.com/HardenedBSD/hardenedBSD > commit 4eef3881c64f6e3aa38eebbeaf27a947a5d47dd7 > > PR 193861 -- DUMMYNET LAYER2: kernel panic > > in this case a kernel panic occurs. Hence, when we do not get an interface, > we just drop the packet in question. > > PR: 193681 > Submitted by: David Carlier > Obtained from: Hardened BSD > MFC after: 2 weeks > Relnotes: yes > > Modified: > head/sys/netpfil/ipfw/ip_dn_io.c > > Modified: head/sys/netpfil/ipfw/ip_dn_io.c > ============================================================================== > --- head/sys/netpfil/ipfw/ip_dn_io.c Wed Sep 24 22:58:10 2014 (r272088) > +++ head/sys/netpfil/ipfw/ip_dn_io.c Thu Sep 25 02:26:05 2014 (r272089) > @@ -751,10 +751,15 @@ dummynet_send(struct mbuf *m) > /* extract the dummynet info, rename the tag > * to carry reinject info. > */ > - dst = pkt->dn_dir; > - ifp = pkt->ifp; > - tag->m_tag_cookie = MTAG_IPFW_RULE; > - tag->m_tag_id = 0; > + if (pkt->dn_dir == (DIR_OUT | PROTO_LAYER2) && > + pkt->ifp == NULL) { > + dst = DIR_DROP; > + } else { > + dst = pkt->dn_dir; > + ifp = pkt->ifp; > + tag->m_tag_cookie = MTAG_IPFW_RULE; > + tag->m_tag_id = 0; > + } > } > > switch (dst) { >