Date: Sat, 05 Mar 2011 20:48:32 +0100 (CET) From: sthaug@nethelp.no To: freebsd-bugs@freebsd.org Subject: Re: kern/145733: [patch] ipfw flaws with ipv6 fragments Message-ID: <20110305.204832.74739238.sthaug@nethelp.no>
next in thread | raw e-mail | index | archive | help
IPFW incorrectly handles IPv6 packets with a fragment header followed by a last fragment only (i.e. the fragment header has fragment offset = 0 and M bit = 0). Such packets are allowed by RFC 2460. The problem is well described in kern/145733 from 16. April 2010, but nothing seems to have happened with this PR so far. I see the effects of this problem on several name servers which handle IPv6 traffic. One typical example is 15:49:26.408456 IP6 2001:1a68::d911:210a > 2001:8c0:2001::3:53: frag (0|50) 50017 > 53: 38139% [1au] AAAA? dns1.eunet.no. (42) 0x0000: 6008 f572 003a 2c36 2001 1a68 0000 0000 `..r.:,6...h.... 0x0010: 0000 0000 d911 210a 2001 08c0 2001 0000 ......!......... 0x0020: 0000 0000 0003 0053 1100 0000 a977 6460 .......S.....wd` 0x0030: c361 0035 0032 21f6 94fb 0010 0001 0000 .a.5.2!......... 0x0040: 0000 0001 0464 6e73 3105 6575 6e65 7402 .....dns1.eunet. 0x0050: 6e6f 0000 1c00 0100 0029 1000 0000 8000 no.......)...... 0x0060: 0000 .. which results in the following log entry: Feb 6 15:49:26 dns1 kernel: IPFW2: IPV6 - Invalid Fragment Header and then the packet is dropped, even though the packet is perfectly valid. The logs on my name servers are getting filled with these error messages... Does anybody have an idea of whether the patch in kern/145733 will be incorporated into ip_fw2.c any time soon? Steinar Haug, Nethelp consulting, sthaug@nethelp.no
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20110305.204832.74739238.sthaug>