From owner-freebsd-bugs@FreeBSD.ORG Tue Mar 28 10:18:39 2006 Return-Path: X-Original-To: freebsd-bugs@freebsd.org Delivered-To: freebsd-bugs@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 1FFB516A400 for ; Tue, 28 Mar 2006 10:18:39 +0000 (UTC) (envelope-from zhouyi04@ios.cn) Received: from abyss.iscas.cn (abyss.iscas.cn [159.226.5.55]) by mx1.FreeBSD.org (Postfix) with SMTP id 1F93143D46 for ; Tue, 28 Mar 2006 10:18:29 +0000 (GMT) (envelope-from zhouyi04@ios.cn) Received: (qmail 6064 invoked by uid 502); 28 Mar 2006 10:00:10 -0000 Received: from zhouyi04@ios.cn by abyss.iscas.cn by uid 0 with qmail-scanner-1.22 (hbedv: 6.24.0.7/6.24.0.69. spamassassin: 2.63. Clear:RC:0(159.226.5.225):SA:0(-99.1/9.0):. Processed in 0.138975 secs); 28 Mar 2006 10:00:10 -0000 Received: from unknown (HELO zzy.H.qngy.gscas) (zhouyi04@159.226.5.225) by abyss.iscas.cn with SMTP; 28 Mar 2006 10:00:10 -0000 Date: Tue, 28 Mar 2006 18:10:02 +0800 From: zhouyi zhou To: Robert Watson Message-Id: <20060328181002.1c8c5691.zhouyi04@ios.cn> In-Reply-To: <20060328095916.A19236@fledge.watson.org> References: <20060327184013.6d60173c.zhouyi04@ios.cn> <20060328095916.A19236@fledge.watson.org> Organization: Institute of Software X-Mailer: Sylpheed version 1.0.4 (GTK+ 1.2.10; i386-portbld-freebsd5.4) Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit X-Spam-Checker-Version: SpamAssassin 2.63 (2004-01-11) on abyss.iscas.cn X-Spam-Status: No, hits=-99.1 required=9.0 tests=FROM_ENDS_IN_NUMS, USER_IN_WHITELIST autolearn=no version=2.63 X-Spam-Level: Cc: gnn@FreeBSD.org, freebsd-bugs@freebsd.org, bz@FreeBSD.org, trustedbsd-discuss@FreeBSD.org Subject: Re: settling serious conflicts between MAC and IPSEC X-BeenThere: freebsd-bugs@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Bug reports List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 28 Mar 2006 10:18:39 -0000 Dear Watson, It is my pleasure, is any one willing to settle the mbuf without label initialized problem in function ipfw_tick? if there is none, I am willing to do it. Sincerely yours Zhouyi Zhou On Tue, 28 Mar 2006 10:02:39 +0000 (GMT) Robert Watson wrote: > > On Mon, 27 Mar 2006, zhouyi zhou wrote: > > > High everyone, there exists a serious bug in function ipsec_copypkt(m) of > > netinet6/ipsec.c in FreeBSD 5.4, FreeBSD 6.0 and FreeBSD 7.0 > > > > 3469 MGETHDR(mnew, M_DONTWAIT, MT_HEADER); > > 3470 if (mnew == NULL) > > 3471 goto fail; > > 3472 mnew->m_pkthdr = n->m_pkthdr; > > 3473 #if 0 > > 3474 /* XXX: convert to m_tag or delete? */ > > 3475 if (n->m_pkthdr.aux) { > > 3476 mnew->m_pkthdr.aux = > > 3477 m_copym(n->m_pkthdr.aux, > > 3478 0, M_COPYALL, M_DONTWAIT); > > 3479 } > > 3480 #endif > > 3481 M_MOVE_PKTHDR(mnew, n); > > > > On line 3472, mnew->m_pkthdr is assigned n->m_pkthdr, and on line 3481, in > > function m_move_pkthdr, mnew's tag list will be delete (and the n's tag of > > cause). This will cause system to crash. > > > > After commenting out line 3472, everything is OK. > > Thanks for this report! The M_MOVE_PKTHDR() should do all the necessary work, > including copying the fields referenced in 3472, as well as handling existing > m_tags right. I've attached a patch with your proposal, which looks and > sounds good to me, and CC'd George and Bjoern in the hopes that one of them > will give it a node of approval before I commit it -- hopefully we can get > this MFC'd for 6.1-RELEASE. > > Robert N M Watson > > Index: ipsec.c > =================================================================== > RCS file: /home/ncvs/src/sys/netinet6/ipsec.c,v > retrieving revision 1.43 > diff -u -r1.43 ipsec.c > --- ipsec.c 25 Jul 2005 12:31:42 -0000 1.43 > +++ ipsec.c 28 Mar 2006 09:58:54 -0000 > @@ -3469,15 +3469,6 @@ > MGETHDR(mnew, M_DONTWAIT, MT_HEADER); > if (mnew == NULL) > goto fail; > - mnew->m_pkthdr = n->m_pkthdr; > -#if 0 > - /* XXX: convert to m_tag or delete? */ > - if (n->m_pkthdr.aux) { > - mnew->m_pkthdr.aux = > - m_copym(n->m_pkthdr.aux, > - 0, M_COPYALL, M_DONTWAIT); > - } > -#endif > M_MOVE_PKTHDR(mnew, n); > } > else { >