Date: Wed, 11 Mar 2015 09:39:16 +0100 From: Kristof Provost <kristof@sigsegv.be> To: freebsd-net@FreeBSD.org Cc: freebsd-pf@FreeBSD.org Subject: Re: [PATCH] Fix panic with pf fastroute Message-ID: <20150311083916.GQ1975@vega.codepro.be> In-Reply-To: <1426064691-1238-1-git-send-email-kristof@sigsegv.be> References: <1426064691-1238-1-git-send-email-kristof@sigsegv.be>
next in thread | previous in thread | raw e-mail | index | archive | help
Set up a pf ruleset with at least the following rule > pass out fastroute inet6 proto icmp6 all icmp6-type echoreq Send out an icmp6 echo request (i.e. ping6 2001:db8::1). This causes a panic in ip6_output() when comparing the old and new destination addresses (IN6_ARE_ADDR_EQUAL()) just after the netpfil hook. The cause is the fastroute option, which means that the mbuf is handed off to ip6_output() from pf itself and should no longer be processed by the ip6_output() which called pf in the first place. The pf code in pf_route6() neglected to set the mbuf pointer to NULL after the call to ip6_output(). As a result we end up trying to continue processing on an mbuf which has already been freed. --- sys/netpfil/pf/pf.c | 1 + 1 file changed, 1 insertion(+) diff --git a/sys/netpfil/pf/pf.c b/sys/netpfil/pf/pf.c index b32288b..7c3ddb8 100644 --- a/sys/netpfil/pf/pf.c +++ b/sys/netpfil/pf/pf.c @@ -5470,6 +5470,7 @@ pf_route6(struct mbuf **m, struct pf_rule *r, int dir, struct ifnet *oifp, PF_STATE_UNLOCK(s); m0->m_flags |= M_SKIP_FIREWALL; ip6_output(m0, NULL, NULL, 0, NULL, NULL, NULL); + *m = NULL; return; }
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20150311083916.GQ1975>