From owner-freebsd-security Thu Feb 14 10: 3:36 2002 Delivered-To: freebsd-security@freebsd.org Received: from mail.polchat.pl (polchat.pl [213.25.49.1]) by hub.freebsd.org (Postfix) with SMTP id 08ECF37B402 for ; Thu, 14 Feb 2002 10:03:30 -0800 (PST) Received: (qmail 28026 invoked by uid 513); 14 Feb 2002 18:02:33 -0000 Received: from localhost (sendmail-bs@127.0.0.1) by localhost with SMTP; 14 Feb 2002 18:02:33 -0000 Date: Thu, 14 Feb 2002 19:02:33 +0100 (CET) From: X-Sender: kurnik@polchat.pl To: Ruslan Ermilov Cc: Maxime Henrion , freebsd-security@FreeBSD.ORG, "Jacques A. Vidrine" Subject: Re: FreeBSD 4.5 syncache problem In-Reply-To: <20020214181527.B92824@sunbay.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Thu, 14 Feb 2002, Ruslan Ermilov wrote: > On Thu, Feb 14, 2002 at 10:04:33AM -0600, Maxime Henrion wrote: > > Jacques A. Vidrine (nectar@FreeBSD.org) wrote: > > > On Thu, Feb 14, 2002 at 07:37:07AM -0600, Maxime Henrion wrote: > > > > Maxime Henrion (mux@sneakerz.org) wrote: > > > > > kurnik@kurnik.pl (kurnik@kurnik.pl) wrote: > > > > > > Hi! > > > > > > > > > > > > I'd like to migrate my Linux powered server to FreeBSD 4.5 but there's > > > > > > a critical syncache related bug that makes it easy to remotely cause > > > > > > kernel panic on any server running FreeBSD 4.5. > > > > > > (more on this bug at www.freebsd.org/cgi/query-pr.cgi?pr=kern/34658) > > > > > > > > > > Could you probide a way to reliable reproduce it ? I'm sure this would > > > > > help a lot getting this bug fixed, since it's not mentioned in the PR. > > > > > > > > Please discard my mail, it really looks like this is fixed in rev1.11 of > > > > tcp_syncache.c. > > > > > > Hello Maxime, > > > > > > Can you confirm: > > > After applying rev 1.11 of tcp_syncache.c to your 4.5-RELEASE system, > > > your issue was resolved? > > > > > > I'd like to MFC this revision, but I wanted to be sure that it worked > > > for you on a real system. > > > > Sorry for the confusion, but I was replying to myself here :-) The person > > who experienced the syncache panic is kurnik@kurnik.pl. > > > I think just MFC'ing this revision might not fix the problem. > Jonathan posted a patch along these lines (the second hunk): > > Index: tcp_syncache.c > =================================================================== > RCS file: /home/ncvs/src/sys/netinet/tcp_syncache.c,v > retrieving revision 1.5.2.4 > diff -u -p -r1.5.2.4 tcp_syncache.c > --- tcp_syncache.c 2002/01/24 16:09:08 1.5.2.4 > +++ tcp_syncache.c 2002/02/14 16:14:10 > @@ -839,6 +839,11 @@ syncache_add(inc, to, th, sop, m) > */ > if (sc->sc_flags & SCF_TIMESTAMP) > sc->sc_tsrecent = to->to_tsval; > + /* > + * PCB may have changed, pick up new values. > + */ > + sc->sc_tp = tp; > + sc->sc_inp_gencnt = tp->t_inpcb->inp_gencnt; > if (syncache_respond(sc, m) == 0) { > s = splnet(); > TAILQ_REMOVE(&tcp_syncache.timerq[sc->sc_rxtslot], > @@ -1314,6 +1319,7 @@ syncookie_lookup(inc, th, so) > * Fill in the syncache values. > * XXX duplicate code from syncache_add > */ > + sc->sc_tp = sototcpcb(so); > sc->sc_ipopts = NULL; > sc->sc_inc.inc_fport = inc->inc_fport; > sc->sc_inc.inc_lport = inc->inc_lport; I've got a patch from the guy who submitted this bug (Alan Judge) but it (the patch) only added one line of code [ sc->sc_tp = sototcpcb(so) ] to tcp_syncache.c and it solved the problem for me. I'll try the above patch and the one posted later and if something goes wrong, I'll tell you (otherwise assume everything went OK) cheers, Marek Futrega -- KURNIK! -- gry sieciowe warte swieczki :) http://www.kurnik.pl/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message