From owner-svn-src-all@FreeBSD.ORG Thu Sep 25 11:07:13 2014 Return-Path: Delivered-To: svn-src-all@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 9DBF3F93; Thu, 25 Sep 2014 11:07:13 +0000 (UTC) Received: from mail.ignoranthack.me (ignoranthack.me [199.102.79.106]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 5F3C3AD7; Thu, 25 Sep 2014 11:07:13 +0000 (UTC) Received: from [172.22.0.99] (unknown [213.222.32.13]) (using SSLv3 with cipher DHE-RSA-AES128-SHA (128/128 bits)) (No client certificate requested) (Authenticated sender: sbruno@ignoranthack.me) by mail.ignoranthack.me (Postfix) with ESMTPSA id 75B811928C4; Thu, 25 Sep 2014 11:07:08 +0000 (UTC) Subject: Re: svn commit: r272089 - head/sys/netpfil/ipfw From: Sean Bruno Reply-To: sbruno@freebsd.org To: Gleb Smirnoff In-Reply-To: <20140925051808.GS884@FreeBSD.org> References: <201409250226.s8P2Q6AS055635@svn.freebsd.org> <20140925051808.GS884@FreeBSD.org> Content-Type: text/plain; charset="us-ascii" Date: Thu, 25 Sep 2014 04:07:03 -0700 Message-ID: <1411643223.2161.2.camel@bruno> Mime-Version: 1.0 X-Mailer: Evolution 2.32.1 FreeBSD GNOME Team Port Content-Transfer-Encoding: 7bit X-Mailman-Approved-At: Thu, 25 Sep 2014 12:35:33 +0000 Cc: FreeBSD Net , Adrian Chadd , David Carlier X-BeenThere: svn-src-all@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: "SVN commit messages for the entire src tree \(except for " user" and " projects" \)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 25 Sep 2014 11:07:13 -0000 On Thu, 2014-09-25 at 09:18 +0400, Gleb Smirnoff wrote: > On Wed, Sep 24, 2014 at 07:40:23PM -0700, Adrian Chadd wrote: > A> Hm, I saw this from Kate on IRC. Did anyone figure out _where_ these > A> frames are coming from? > A> > A> Just dropping them is cool, but I'd really like to see the contents of > A> the frames and what their origin is. > A> > A> I'm worried that they're valid stack-generated frames.. > > I agree on this. Fixing NULL pointer derefs with NULL check is not > always a right thing to do. > > A> -a > A> > A> > A> On 24 September 2014 19:26, Sean Bruno wrote: > A> > Author: sbruno > A> > Date: Thu Sep 25 02:26:05 2014 > A> > New Revision: 272089 > A> > URL: http://svnweb.freebsd.org/changeset/base/272089 > A> > > A> > Log: > A> > Fix NULL pointer deref in ipfw when using dummynet at layer 2. > A> > Drop packet if pkg->ifp is NULL, which is the case here. > A> > > A> > ref. https://github.com/HardenedBSD/hardenedBSD > A> > commit 4eef3881c64f6e3aa38eebbeaf27a947a5d47dd7 > A> > > A> > PR 193861 -- DUMMYNET LAYER2: kernel panic > A> > > A> > in this case a kernel panic occurs. Hence, when we do not get an interface, > A> > we just drop the packet in question. > A> > > A> > PR: 193681 > A> > Submitted by: David Carlier > A> > Obtained from: Hardened BSD > A> > MFC after: 2 weeks > A> > Relnotes: yes > A> > > A> > Modified: > A> > head/sys/netpfil/ipfw/ip_dn_io.c > A> > > A> > Modified: head/sys/netpfil/ipfw/ip_dn_io.c > A> > ============================================================================== > A> > --- head/sys/netpfil/ipfw/ip_dn_io.c Wed Sep 24 22:58:10 2014 (r272088) > A> > +++ head/sys/netpfil/ipfw/ip_dn_io.c Thu Sep 25 02:26:05 2014 (r272089) > A> > @@ -751,10 +751,15 @@ dummynet_send(struct mbuf *m) > A> > /* extract the dummynet info, rename the tag > A> > * to carry reinject info. > A> > */ > A> > - dst = pkt->dn_dir; > A> > - ifp = pkt->ifp; > A> > - tag->m_tag_cookie = MTAG_IPFW_RULE; > A> > - tag->m_tag_id = 0; > A> > + if (pkt->dn_dir == (DIR_OUT | PROTO_LAYER2) && > A> > + pkt->ifp == NULL) { > A> > + dst = DIR_DROP; > A> > + } else { > A> > + dst = pkt->dn_dir; > A> > + ifp = pkt->ifp; > A> > + tag->m_tag_cookie = MTAG_IPFW_RULE; > A> > + tag->m_tag_id = 0; > A> > + } > A> > } > A> > > A> > switch (dst) { > A> > > A> > Ok, moving off to freebsd-net. How should we proceded with debugging further? sean bcc src-all src-head