From owner-freebsd-bugs  Sun Jul  2 20:50:06 1995
Return-Path: bugs-owner
Received: (from majordom@localhost)
          by freefall.cdrom.com (8.6.10/8.6.6) id UAA18928
          for bugs-outgoing; Sun, 2 Jul 1995 20:50:06 -0700
Received: (from gnats@localhost)
          by freefall.cdrom.com (8.6.10/8.6.6) id UAA18921
          ; Sun, 2 Jul 1995 20:50:05 -0700
Date: Sun, 2 Jul 1995 20:50:05 -0700
Message-Id: <199507030350.UAA18921@freefall.cdrom.com>
From: mpp@legarto.minn.net
Reply-To: mpp@legarto.minn.net
To: freebsd-bugs
Subject: kern/585: rejecting packets w/ipfw can still panic machine
In-Reply-To: Your message of Sun, 2 Jul 1995 22:43:49 -0500
	<199507030343.WAA00385@mpp.com>
Sender: bugs-owner@FreeBSD.org
Precedence: bulk


>Number:         585
>Category:       kern
>Synopsis:       rejecting packets w/ipfw can still panic machine
>Confidential:   no
>Severity:       serious
>Priority:       high
>Responsible:    freebsd-bugs (FreeBSD bugs mailing list)
>State:          open
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Sun Jul  2 20:50:04 1995
>Originator:     Mike Pritchard
>Organization:
>Release:        FreeBSD 2.0-BUILT-19950628 i386
>Environment:

>Description:

The recent change that went in to make packets rejected by ipfw
not panic the machine doesn't work in all cases.  The original
fix left 3 end cases where an attempt would be made to free
an mbuf with an uninitialized pointer, resulting in a machine panic.
I noticed this after building a kernel an noticing the following
warning messages:

In file included from ../../netinet/ip_fw.c:41:
../../../include/arpa/inet.h:50: warning: redundant redeclaration of `inet_ntoa' in same scope
../../netinet/in.h:259: warning: previous declaration of `inet_ntoa'
../../netinet/ip_fw.c: In function `ip_fw_chk':
../../netinet/ip_fw.c:114: warning: `m' might be used uninitialized in this function

>How-To-Repeat:

ipfw addf reject icmp from localhost
ping localhost
*panic*

>Fix:
	
The following fix eliminates the warning about inet_ntoa being
declared twice and fixes the ipfw panic problem.  The panic was
resolved by correctly initializing the mbuf pointer before all cases
where it is used.

*** orig/ip_fw.c	Sun Jul  2 22:36:28 1995
--- ip_fw.c	Sun Jul  2 22:27:31 1995
***************
*** 37,45 ****
  #include <netinet/tcp.h>
  #include <netinet/udp.h>
  #include <netinet/ip_icmp.h>
- 
- #include <arpa/inet.h>
- 
  #include <netinet/ip_fw.h>
  
  #ifdef IPFIREWALL_DEBUG
--- 37,42 ----
***************
*** 303,308 ****
--- 300,306 ----
  #endif
  
  bad_packet:
+ 	m = dtom(ip);
  	if (f) {
  			/*
  			 * Do not ICMP reply to icmp
***************
*** 317,323 ****
  			 */
  		if (!(f->fw_flg&IP_FW_F_ICMPRPL))
  			goto return_0;
- 		m = dtom(ip);
  		if (f_prt==IP_FW_F_ALL)
     			icmp_error(m, ICMP_UNREACH, ICMP_UNREACH_HOST, 0L, 0);
  		else
--- 315,320 ----
>Audit-Trail:
>Unformatted: