From owner-freebsd-net@FreeBSD.ORG Thu Sep 10 23:19:09 2009 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id D4260106566B for ; Thu, 10 Sep 2009 23:19:09 +0000 (UTC) (envelope-from ccowart@rescomp.berkeley.edu) Received: from hal.rescomp.berkeley.edu (hal.Rescomp.Berkeley.EDU [169.229.70.150]) by mx1.freebsd.org (Postfix) with ESMTP id 90E8B8FC1E for ; Thu, 10 Sep 2009 23:19:09 +0000 (UTC) Received: by hal.rescomp.berkeley.edu (Postfix, from userid 1225) id AD8F1597D75; Thu, 10 Sep 2009 16:19:08 -0700 (PDT) Date: Thu, 10 Sep 2009 16:19:08 -0700 From: Chris Cowart To: VANHULLEBUS Yvan Message-ID: <20090910231908.GD37291@hal.rescomp.berkeley.edu> Mail-Followup-To: VANHULLEBUS Yvan , freebsd-net@freebsd.org References: <20090904223123.GD16213@hal.rescomp.berkeley.edu> <723505E9-96C6-401C-A844-3D9BA2033795@neville-neil.com> <20090907191001.GA37291@hal.rescomp.berkeley.edu> <54FDC10A-EAE3-4AE2-BF36-2C5F7D141C3A@neville-neil.com> <20090910073739.GB37291@hal.rescomp.berkeley.edu> <20090910081337.GA66528@zeninc.net> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-ripemd160; protocol="application/pgp-signature"; boundary="3yNHWXBV/QO9xKNm" Content-Disposition: inline In-Reply-To: <20090910081337.GA66528@zeninc.net> Organization: RSSP-IT, UC Berkeley User-Agent: Mutt/1.5.20 (2009-06-14) Cc: freebsd-net@freebsd.org Subject: Re: IPSEC + long UDP causes reproducible crash [was: Crash in ether_input] X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 10 Sep 2009 23:19:09 -0000 --3yNHWXBV/QO9xKNm Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable VANHULLEBUS Yvan wrote: > On Thu, Sep 10, 2009 at 12:37:39AM -0700, Chris Cowart wrote: >> I have been using i386 and amd64 virtual machines as well as an amd64 >> physical machine; this problem can be reproduced fairly reliably on all >> of them for 7.0 and 7.1 (and we're pretty sure we saw it in 6.x and >> didn't know what it was at the time). >=20 > I fixed in FreeBSD 7.2+ a bug which looks to be related with your > crashes (kernel panic with big packets), could you please try again > with FreeBSD 7.2 and report us the result ? The problem does indeed seem to be gone with 7.2. Given that any unprivileged user could compile and run such a program on an IPSEC-enabled pre-7.2 box and crash the system, isn't this a local DoS exploit that should be fixed in the supported security branches (including 7.1)? --=20 Chris Cowart Network Technical Lead Network & Infrastructure Services, RSSP-IT UC Berkeley --3yNHWXBV/QO9xKNm Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.12 (FreeBSD) iQIcBAEBAwAGBQJKqYlsAAoJEC8b9sM8ejXtJxIP/RwdxU/KpDf39Gzt+cYwfY7a FAkG8Us/qWKdhhoERRnHu0MQsFhOCAWSDDcczBDm60B5urbhbec55uROspt7Jrzc cNIcAp9CBGzVwBImbmAgllOIIkLIQZK7HInTCCl0ekjkYYvmyw42b9LSSo4myyQu M/yFjb5HAVjhy2WzcZvrNoZFMOCM9tPHEpx1p4NYybS1tRk8eUvnIi3rkxPTBMFb SjGo7xm6fYBDz8skGLRvzEDJNJf66OqSJwot4Hvu6la73iirGgPnw8kX0LzTSRxb 1btd91keBLx3cnhQJxGD4F7J554ZGAaTXIHYYfc4gVKFcoiC7elZzrsSzaJ0ZA5y zxdyYoJbsV18N9TOMNwkw5kglPzsmdMxYBI4vdE61QrYgLe7vX/2y5hdUmWs7QWk 5NVXoHwkq7WetjxGSzRkeXXkqeXVwwgl2MVfBj909BaMXWQrRy2y8j3FxSq6JLZ2 QJm6cIlsQHMgMUloUlp8LgN1duuzREqfVpXZEeUyFRIVvts/a43wqxfiiOE6Lxqh JkhNi8MeLJoc1BSBsTVmZ29Opa9hGbp0wXEpDoXdrN6TsE1XAb1+zHxJeuZHFi6u pnaWfyYZSmqfctDnmAo9vJGZxtYcvByZYsrpGmsSL4MiThtcpL7R7LibR4BrnAAX Bafw/FPSLr91kYkiwHbc =32dj -----END PGP SIGNATURE----- --3yNHWXBV/QO9xKNm--