From owner-freebsd-bugs@FreeBSD.ORG  Fri Mar  6 10:30:02 2009
Return-Path: <owner-freebsd-bugs@FreeBSD.ORG>
Delivered-To: freebsd-bugs@hub.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 61723106566C
	for <freebsd-bugs@hub.freebsd.org>;
	Fri,  6 Mar 2009 10:30:02 +0000 (UTC)
	(envelope-from gnats@FreeBSD.org)
Received: from freefall.freebsd.org (freefall.freebsd.org
	[IPv6:2001:4f8:fff6::28])
	by mx1.freebsd.org (Postfix) with ESMTP id 3C1A48FC16
	for <freebsd-bugs@hub.freebsd.org>;
	Fri,  6 Mar 2009 10:30:02 +0000 (UTC)
	(envelope-from gnats@FreeBSD.org)
Received: from freefall.freebsd.org (gnats@localhost [127.0.0.1])
	by freefall.freebsd.org (8.14.3/8.14.3) with ESMTP id n26AU21L002457
	for <freebsd-bugs@freefall.freebsd.org>; Fri, 6 Mar 2009 10:30:02 GMT
	(envelope-from gnats@freefall.freebsd.org)
Received: (from gnats@localhost)
	by freefall.freebsd.org (8.14.3/8.14.3/Submit) id n26AU28E002456;
	Fri, 6 Mar 2009 10:30:02 GMT (envelope-from gnats)
Resent-Date: Fri, 6 Mar 2009 10:30:02 GMT
Resent-Message-Id: <200903061030.n26AU28E002456@freefall.freebsd.org>
Resent-From: FreeBSD-gnats-submit@FreeBSD.org (GNATS Filer)
Resent-To: freebsd-bugs@FreeBSD.org
Resent-Reply-To: FreeBSD-gnats-submit@FreeBSD.org,
	Renat Vafin <hitori@yotaku.org>
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id C5F58106564A
	for <freebsd-gnats-submit@FreeBSD.org>;
	Fri,  6 Mar 2009 10:21:23 +0000 (UTC)
	(envelope-from nobody@FreeBSD.org)
Received: from www.freebsd.org (www.freebsd.org [IPv6:2001:4f8:fff6::21])
	by mx1.freebsd.org (Postfix) with ESMTP id 9932A8FC25
	for <freebsd-gnats-submit@FreeBSD.org>;
	Fri,  6 Mar 2009 10:21:23 +0000 (UTC)
	(envelope-from nobody@FreeBSD.org)
Received: from www.freebsd.org (localhost [127.0.0.1])
	by www.freebsd.org (8.14.3/8.14.3) with ESMTP id n26ALNnB089215
	for <freebsd-gnats-submit@FreeBSD.org>; Fri, 6 Mar 2009 10:21:23 GMT
	(envelope-from nobody@www.freebsd.org)
Received: (from nobody@localhost)
	by www.freebsd.org (8.14.3/8.14.3/Submit) id n26ALMZc089214;
	Fri, 6 Mar 2009 10:21:22 GMT (envelope-from nobody)
Message-Id: <200903061021.n26ALMZc089214@www.freebsd.org>
Date: Fri, 6 Mar 2009 10:21:22 GMT
From: Renat Vafin <hitori@yotaku.org>
To: freebsd-gnats-submit@FreeBSD.org
X-Send-Pr-Version: www-3.1
Cc: 
Subject: kern/132354: Getting some packages to the ipnat causes crash
X-BeenThere: freebsd-bugs@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Bug reports <freebsd-bugs.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-bugs>,
	<mailto:freebsd-bugs-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-bugs>
List-Post: <mailto:freebsd-bugs@freebsd.org>
List-Help: <mailto:freebsd-bugs-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-bugs>,
	<mailto:freebsd-bugs-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Fri, 06 Mar 2009 10:30:02 -0000


>Number:         132354
>Category:       kern
>Synopsis:       Getting some packages to the ipnat causes crash
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    freebsd-bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Fri Mar 06 10:30:01 UTC 2009
>Closed-Date:
>Last-Modified:
>Originator:     Renat Vafin
>Release:        7.1-Release-STABLE i386
>Organization:
>Environment:
FreeBSD srv02.citynet 7.1-RELEASE FreeBSD 7.1-RELEASE #0: Tue Jan 20 17:20:32 UTC 2009     root@srv02.citynet:/usr/obj/usr/src/sys/utm  i386
>Description:
Router started to crash some time ago. We changed everything: from individual parts to the server as a whole. Tried FreeBSD 6.4, 7.0, 7.1. We used Intel (em & fxp) and Realtec (re) network cards. After installing the logger package we found ip-packet, which led to the crash. As it turned out that the crash occurs in the presence of certain strings in the configuration of ipnat. The following are the minimum contents of configuration file of ipnat. 

#cat /etc/ipnat.rules
bimap re0 10.0.0.1 -> 92.50.219.35

If the file /etc/ipnat.rules is empty or the destination address is different from the 92.50.219.35, crash does not occur.
>How-To-Repeat:
Send this packet via CommView to ethernet-port of server with running ipnat.
The contents of the package created by CommView.

============================================================================
Packet #1, Direction: Pass-through, Time:09:39:01,169296, Size: 60
Ethernet II
	Destination MAC: 00:80:48:51:C7:DD
	Source MAC: 00:14:F6:F1:B3:F1
	Ethertype: 0x0800 (2048) - IP
IP
	IP version: 0x04 (4)
	Header length: 0x05 (5) - 20 bytes
	Differentiated Services Field: 0x00 (0)
		Differentiated Services Code Point: 000000 - Default
		ECN-ECT: 0
		ECN-CE: 0
	Total length: 0x001C (28)
	ID: 0x73E1 (29665)
	Flags
		Don't fragment bit: 0 - May fragment
		More fragments bit: 0 - Last fragment
	Fragment offset: 0x05C0 (1472)
	Time to live: 0x78 (120)
	Protocol: 0x06 (6) - TCP
	Checksum: 0x1913 (6419) - correct
	Source IP: 77.40.48.178
	Destination IP: 92.50.219.35
	IP Options: None
Raw Data:
0x0000   00 80 48 51 C7 DD 00 14-F6 F1 B3 F1 08 00 45 00   ._HQúü..ÃÓ_Ó..E.
0x0010   00 1C 73 E1 00 B8 78 06-19 13 4D 28 30 B2 5C 32   ..sÂ.£x...M(0_\2
0x0020   DB 23 74 00 65 00 20 00-4C 00 00 00 00 00 00 00   ù#t.e. .L.......
0x0030   00 00 00 00 00 00 00 00-00 00 00 00               ............

============================================================================
>Fix:


>Release-Note:
>Audit-Trail:
>Unformatted: