From owner-freebsd-bugs@FreeBSD.ORG  Mon Nov 28 16:00:29 2011
Return-Path: <owner-freebsd-bugs@FreeBSD.ORG>
Delivered-To: freebsd-bugs@hub.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 4BDF5106566B
	for <freebsd-bugs@hub.freebsd.org>;
	Mon, 28 Nov 2011 16:00:29 +0000 (UTC)
	(envelope-from gnats@FreeBSD.org)
Received: from freefall.freebsd.org (freefall.freebsd.org
	[IPv6:2001:4f8:fff6::28])
	by mx1.freebsd.org (Postfix) with ESMTP id 0FE568FC0A
	for <freebsd-bugs@hub.freebsd.org>;
	Mon, 28 Nov 2011 16:00:29 +0000 (UTC)
Received: from freefall.freebsd.org (localhost [127.0.0.1])
	by freefall.freebsd.org (8.14.5/8.14.5) with ESMTP id pASG0K4O044044
	for <freebsd-bugs@freefall.freebsd.org>; Mon, 28 Nov 2011 16:00:20 GMT
	(envelope-from gnats@freefall.freebsd.org)
Received: (from gnats@localhost)
	by freefall.freebsd.org (8.14.5/8.14.5/Submit) id pASG0K2n044043;
	Mon, 28 Nov 2011 16:00:20 GMT (envelope-from gnats)
Resent-Date: Mon, 28 Nov 2011 16:00:20 GMT
Resent-Message-Id: <201111281600.pASG0K2n044043@freefall.freebsd.org>
Resent-From: FreeBSD-gnats-submit@FreeBSD.org (GNATS Filer)
Resent-To: freebsd-bugs@FreeBSD.org
Resent-Reply-To: FreeBSD-gnats-submit@FreeBSD.org,
	Paul <olivier.paul.tsp@gmail.com>
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id D1F8E106567C
	for <freebsd-gnats-submit@FreeBSD.org>;
	Mon, 28 Nov 2011 15:57:38 +0000 (UTC)
	(envelope-from nobody@FreeBSD.org)
Received: from red.freebsd.org (red.freebsd.org [IPv6:2001:4f8:fff6::22])
	by mx1.freebsd.org (Postfix) with ESMTP id BBD648FC20
	for <freebsd-gnats-submit@FreeBSD.org>;
	Mon, 28 Nov 2011 15:57:38 +0000 (UTC)
Received: from red.freebsd.org (localhost [127.0.0.1])
	by red.freebsd.org (8.14.4/8.14.4) with ESMTP id pASFvcaM006414
	for <freebsd-gnats-submit@FreeBSD.org>; Mon, 28 Nov 2011 15:57:38 GMT
	(envelope-from nobody@red.freebsd.org)
Received: (from nobody@localhost)
	by red.freebsd.org (8.14.4/8.14.4/Submit) id pASFvc49006413;
	Mon, 28 Nov 2011 15:57:38 GMT (envelope-from nobody)
Message-Id: <201111281557.pASFvc49006413@red.freebsd.org>
Date: Mon, 28 Nov 2011 15:57:38 GMT
From: Paul <olivier.paul.tsp@gmail.com>
To: freebsd-gnats-submit@FreeBSD.org
X-Send-Pr-Version: www-3.1
Cc: 
Subject: kern/162926: Infinite loop in ipfilter with fragmented IPv6 traffic
X-BeenThere: freebsd-bugs@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Bug reports <freebsd-bugs.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-bugs>,
	<mailto:freebsd-bugs-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-bugs>
List-Post: <mailto:freebsd-bugs@freebsd.org>
List-Help: <mailto:freebsd-bugs-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-bugs>,
	<mailto:freebsd-bugs-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Mon, 28 Nov 2011 16:00:29 -0000


>Number:         162926
>Category:       kern
>Synopsis:       Infinite  loop in ipfilter with fragmented IPv6 traffic
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    freebsd-bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Mon Nov 28 16:00:20 UTC 2011
>Closed-Date:
>Last-Modified:
>Originator:     Paul
>Release:        6.4
>Organization:
>Environment:
FreeBSD virtualbox0 6.4-RELEASE FreeBSD 6.4-RELEASE #0: Wed Nov 26 11:43:51 UTC 2008     root@dessler.cse.buffalo.edu:/usr/obj/usr/src/sys/GENERIC  i386
>Description:
When receiving the following packet, ipfilter enters a loop in the frpr_ipv6hdr function making the whole system unresponsive. More recent versions of FreeBSD (e.g. 8.x) seem to be affected as they are using the same version of ipfilter.

# tcpdump -n -X -r AC_458632.pak
reading from file AC_458632.pak, link-type EN10MB (Ethernet)
01:00:00.000453 IP6 truncated-ip6 - 32724 bytes missing!:: > 80::: frag (0|32760) AH(spi=0x00000000,seq=0x33000000): HBH AH(spi=0x00000000,seq=0x0): HBH [|HBH]
        0x0000:  6000 0000 8000 2c00 0000 0000 0000 0000  `.....,.........
        0x0010:  0000 0000 0000 0000 0080 0000 0000 0000  ................
        0x0020:  0000 0000 0000 0000 3300 0004 0000 0000  ........3.......
        0x0030:  0000 0000 0000 0000 3300 0000 0000 0000  ........3.......
        0x0040:  0000 0000 0000 0000 0000 0000 0000 0000  ................
        0x0050:  0000 0000            

The problem seems to have been corrected in ipfilter 4.1.31.
>How-To-Repeat:
enable ipfilter.
enable ipv6 and ipv6 forwarding.
send packet through filter.
>Fix:
Install ipfilter v4.1.31.

>Release-Note:
>Audit-Trail:
>Unformatted: