From owner-freebsd-hackers Mon Feb 19 8:57:11 2001 Delivered-To: freebsd-hackers@freebsd.org Received: from out.newmail.net (out.newmail.net [212.150.54.158]) by hub.freebsd.org (Postfix) with SMTP id 59A5E37B491 for ; Mon, 19 Feb 2001 08:57:07 -0800 (PST) Received: from newmail.net ([10.10.1.75]) by out.newmail.net ; Mon, 19 Feb 2001 14:30:44 +0200 From: idobarnea@NewMail.Net Reply-To: idobarnea@NewMail.Net To: hackers@freebsd.org Cc: andrew@cnsec.co.za Date: Mon, 19 Feb 2001 14:25:50 Gmt +0200 Subject: Bug in creating ICMP error messages in FreeBSD4.2 Message-id: <3a912cee.150.0@NewMail.Net> MIME-Version: 1.0 Content-Type: text/plain Content-Transfer-Encoding: 7bit Sender: owner-freebsd-hackers@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG Hi, I encountered the following problem in the 4.2 version. In ip_forward, the following lines intend to save the mbuf in case we want to send ICMP error later: mcopy = m_copy(m, 0, imin((int)ip->ip_len, 64)); if (mcopy && (mcopy->m_flags & M_EXT)) m_copydata(mcopy, 0, sizeof(struct ip), mtod(mcopy, caddr_t)); Later on, before sending the ICMP packet we do: if (mcopy->m_flags & M_EXT) m_copyback(mcopy, 0, sizeof(struct ip), mtod(mcopy, caddr_t)); The problem as I understand it is that the m_copydata and m_copyback, actually do nothing (It just copies from mcopy to itself). When bombing the kernel with lots (enough to make it issue an ICMP error) of ip packets with length 256 (which is 1 if reversing the byte order), the icmp_error function causes mbuf memory corruption, and later a kernel panic. I believe this caused the problem reported by Andrew Alston in this mailing list on 12.6.2000. I suggest adding a variable: struct ip save_ip_head; Replacing the m_copydata line with: m_copydata(mcopy, 0, sizeof(struct ip), &save_ip_head); And the same with the m_copyback line. Ido Barnea _________________________________________ Get Your Free Virus Protection Tool at http://www.VCatch.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-hackers" in the body of the message