From owner-freebsd-security Mon Sep 18 7:50:35 2000 Delivered-To: freebsd-security@freebsd.org Received: from kronus.com.br (dial-bhn-C8C0B442.bhz.zaz.com.br [200.192.180.66]) by hub.freebsd.org (Postfix) with SMTP id 8F27137B423 for ; Mon, 18 Sep 2000 07:50:28 -0700 (PDT) Received: (qmail 542 invoked by uid 1000); 18 Sep 2000 14:56:43 -0000 Date: Mon, 18 Sep 2000 11:56:43 -0300 From: Fred Souza To: security@freebsd.org Subject: Panic when receiving packets with invalid versions Message-ID: <20000918115643.A470@torment.secfreak.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline X-Note: \x70\x73\x79\x63\x68 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Hi all, I was just playing around with ISIC and noticed something strange on FreeBSD's IP stack (my system is 4.1-STABLE, built with the source-tree of 09/10). It seems, the system cannot handle a certain ammount of packets built with invalid IP version numbers, and will reboot after a short period of time. My first attempt was: torment:ttyv0:~# isic -D -s rand -d 192.168.0.1 -r rand Using random source IP's Compiled against Libnet 1.0.1b Installing Signal Handlers. Seeding with 0 No Maximum traffic limiter Bad IP Version = 10% Odd IP Header Length = 50% Frag'd P cnt = 30% 138.156.122.75 -> 192.168.0.1 tos[57] id[0] ver[4] frag[0] 49.225.236.60 -> 192.168.0.1 tos[236] id[1] ver[4] frag[0] Then.. Fatal trap 12: page fault while in kernel mode fault virtual address = 0x0 fault code = supervisor read, page not present instruction pointer = 0x8:0xc0190b43 stack pointer = 0x10:0xc644acc0 frame pointer = 0x10:0xc644acec code segment = base 0x0, limit 0xfffff, type 0x1b = DPL 0, pres 1, def32 1, gran 1 processor eflags = interrupt enabled, resume, IOPL = 0 current process = 238 (isic) interrupt mask = trap number = 12 panic: page fault By this time, I wasn't sure if the fault occurred due to outgoing invalid packets, or the incoming ones. Then, after the reboot, I tried: torment:ttyv2:~# isic -D -s rand -d 192.168.0.1 -r rand -V0 Using random source IP's Compiled against Libnet 1.0.1b Installing Signal Handlers. Seeding with 0 No Maximum traffic limiter Bad IP Version = 0% Odd IP Header Length = 50% Frag'd P cnt = 30% 138.156.122.75 -> 192.168.0.1 tos[57] id[0] ver[4] frag[0] 49.225.236.60 -> 192.168.0.1 tos[236] id[1] ver[4] frag[0] 186.159.114.116 -> 192.168.0.1 tos[41] id[2] ver[4] frag[0] 110.39.117.87 -> 192.168.0.1 tos[4] id[3] ver[4] frag[35696] 144.254.169.98 -> 192.168.0.1 tos[182] id[4] ver[4] frag[45378] [Lots of packets] And no page faults this time. Yet, I tried sending the invalid packets to another host, and again, everything went just fine. This way, I was sure the problem is about incoming invalid packets (or am I wrong about that?). I tried again sending invalid packets to myself, to ensure the first time wasn't "environment trash" just after the reboot, and the same happened. The next step I tried, was to fix it. But due to my limited ability to change kernel code, I couldn't. I'm leaving this to the magicians, real kernel hackers to fix, if there's anything to fix at all (I'm still considering the possibility of this just being *my* fault. I've had the same kind of page faults a few weeks ago with pppd.) :-) As far as I can tell, ip_input.c's ip_input() function checks the ip_v field of each packet and compares to IPVERSION (4). If it doesn't match, the code jumps to the label "bad", where if IPFIREWALL_FORWARD is active, it sets ip_fw_fwd_addr to NULL, and discards the buffer of the incoming packet. Looks just right to me, and that's why I couldn't figure out how to fix this problem. Can anybody else reproduce this kind of error, or should I smash my head against the wall and try to solve this by myself on my box? Peace, .cseg -- "The most difficult thing in the world is to know how to do a thing and to watch someone else do it wrong without comment." -- Theodore H. White To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message