From owner-freebsd-bugs@FreeBSD.ORG Sat Mar 5 20:15:14 2011 Return-Path: Delivered-To: freebsd-bugs@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 26CEE106564A for ; Sat, 5 Mar 2011 20:15:14 +0000 (UTC) (envelope-from sthaug@nethelp.no) Received: from bizet.nethelp.no (bizet.nethelp.no [195.1.209.33]) by mx1.freebsd.org (Postfix) with SMTP id 56D978FC0C for ; Sat, 5 Mar 2011 20:15:12 +0000 (UTC) Received: (qmail 51538 invoked from network); 5 Mar 2011 19:48:32 -0000 Received: from bizet.nethelp.no (HELO localhost) (195.1.209.33) by bizet.nethelp.no with SMTP; 5 Mar 2011 19:48:32 -0000 Date: Sat, 05 Mar 2011 20:48:32 +0100 (CET) Message-Id: <20110305.204832.74739238.sthaug@nethelp.no> To: freebsd-bugs@freebsd.org From: sthaug@nethelp.no X-Mailer: Mew version 3.3 on Emacs 21.3 / Mule 5.0 (SAKAKI) Mime-Version: 1.0 Content-Type: Text/Plain; charset=us-ascii Content-Transfer-Encoding: 7bit Subject: Re: kern/145733: [patch] ipfw flaws with ipv6 fragments X-BeenThere: freebsd-bugs@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Bug reports List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 05 Mar 2011 20:15:14 -0000 IPFW incorrectly handles IPv6 packets with a fragment header followed by a last fragment only (i.e. the fragment header has fragment offset = 0 and M bit = 0). Such packets are allowed by RFC 2460. The problem is well described in kern/145733 from 16. April 2010, but nothing seems to have happened with this PR so far. I see the effects of this problem on several name servers which handle IPv6 traffic. One typical example is 15:49:26.408456 IP6 2001:1a68::d911:210a > 2001:8c0:2001::3:53: frag (0|50) 50017 > 53: 38139% [1au] AAAA? dns1.eunet.no. (42) 0x0000: 6008 f572 003a 2c36 2001 1a68 0000 0000 `..r.:,6...h.... 0x0010: 0000 0000 d911 210a 2001 08c0 2001 0000 ......!......... 0x0020: 0000 0000 0003 0053 1100 0000 a977 6460 .......S.....wd` 0x0030: c361 0035 0032 21f6 94fb 0010 0001 0000 .a.5.2!......... 0x0040: 0000 0001 0464 6e73 3105 6575 6e65 7402 .....dns1.eunet. 0x0050: 6e6f 0000 1c00 0100 0029 1000 0000 8000 no.......)...... 0x0060: 0000 .. which results in the following log entry: Feb 6 15:49:26 dns1 kernel: IPFW2: IPV6 - Invalid Fragment Header and then the packet is dropped, even though the packet is perfectly valid. The logs on my name servers are getting filled with these error messages... Does anybody have an idea of whether the patch in kern/145733 will be incorporated into ip_fw2.c any time soon? Steinar Haug, Nethelp consulting, sthaug@nethelp.no