From owner-freebsd-net  Thu Dec 13 11:37: 2 2001
Delivered-To: freebsd-net@freebsd.org
Received: from mail.chem.msu.ru (mail.chem.msu.ru [195.208.208.19])
	by hub.freebsd.org (Postfix) with ESMTP
	id 97F0337B405; Thu, 13 Dec 2001 11:36:56 -0800 (PST)
Received: from comp.chem.msu.su ([158.250.32.97]) by mail.chem.msu.ru with SMTP (Microsoft Exchange Internet Mail Service Version 5.5.2650.21)
	id YH35GH9N; Thu, 13 Dec 2001 22:36:33 +0300
Received: (from yar@localhost)
	by comp.chem.msu.su (8.11.1/8.11.1) id fBDJapJ07366;
	Thu, 13 Dec 2001 22:36:51 +0300 (MSK)
	(envelope-from yar)
Date: Thu, 13 Dec 2001 22:36:51 +0300
From: Yar Tikhiy <yar@freebsd.org>
To: hackers@freebsd.org, net@freebsd.org
Subject: Solution for an IPFIREWALL_FORWARD panic?
Message-ID: <20011213223651.A2089@comp.chem.msu.su>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
User-Agent: Mutt/1.2.5i
Sender: owner-freebsd-net@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-net.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-net>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-net>
X-Loop: FreeBSD.org

Hello everybody,

A kernel panic has been observed in both branches under the following
conditions:
o ipfw is configured with a "fwd" rule for outgoing packets that will
  match some RIP datagrams
o GateD is started with RIP enabled and consequently sends a broadcast
  UDP datagram that matches the "fwd" rule

The panic happens there (the source file is sys/netinet/ip_output.c;
quoted as to rev. 1.99.2.21):

740  if (ro_fwd->ro_rt->rt_flags & RTF_HOST)
741          isbroadcast =
742              (ro_fwd->ro_rt->rt_flags & RTF_BROADCAST);
743  else
744          isbroadcast = in_broadcast(dst->sin_addr, ifp);
745  RTFREE(ro->ro_rt);
^^^^^^^^^^^^^^^^^^^^^^^
746  ro->ro_rt = ro_fwd->ro_rt;
747  dst = (struct sockaddr_in *)&ro_fwd->ro_dst;

ro->ro_rt is NULL, which causes the panic.

As far as I understand the ip_output() code, ro->ro_rt being NULL
at that point is actually all right, so to solve the problem, the
code just must be changed as follows:

< RTFREE(ro->ro_rt);
--
> if (ro->ro_rt)
>	RTFREE(ro->ro_rt);

Am I right?  Or ro->ro_rt should not be NULL there at all and the
actual bug hides somewhere else?

-- 
Yar

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-net" in the body of the message