Skip site navigation (1)Skip section navigation (2)
Date:      Thu, 13 Dec 2001 22:36:51 +0300
From:      Yar Tikhiy <yar@freebsd.org>
To:        hackers@freebsd.org, net@freebsd.org
Subject:   Solution for an IPFIREWALL_FORWARD panic?
Message-ID:  <20011213223651.A2089@comp.chem.msu.su>

next in thread | raw e-mail | index | archive | help
Hello everybody,

A kernel panic has been observed in both branches under the following
conditions:
o ipfw is configured with a "fwd" rule for outgoing packets that will
  match some RIP datagrams
o GateD is started with RIP enabled and consequently sends a broadcast
  UDP datagram that matches the "fwd" rule

The panic happens there (the source file is sys/netinet/ip_output.c;
quoted as to rev. 1.99.2.21):

740  if (ro_fwd->ro_rt->rt_flags & RTF_HOST)
741          isbroadcast =
742              (ro_fwd->ro_rt->rt_flags & RTF_BROADCAST);
743  else
744          isbroadcast = in_broadcast(dst->sin_addr, ifp);
745  RTFREE(ro->ro_rt);
^^^^^^^^^^^^^^^^^^^^^^^
746  ro->ro_rt = ro_fwd->ro_rt;
747  dst = (struct sockaddr_in *)&ro_fwd->ro_dst;

ro->ro_rt is NULL, which causes the panic.

As far as I understand the ip_output() code, ro->ro_rt being NULL
at that point is actually all right, so to solve the problem, the
code just must be changed as follows:

< RTFREE(ro->ro_rt);
--
> if (ro->ro_rt)
>	RTFREE(ro->ro_rt);

Am I right?  Or ro->ro_rt should not be NULL there at all and the
actual bug hides somewhere else?

-- 
Yar

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-net" in the body of the message




Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20011213223651.A2089>