kern/54309: TCP Packet of 64K-1 crashes FreeBSD4.8

[Nigel Horne]

>Number:         54309
>Category:       kern
>Synopsis:       TCP Packet of 64K-1 crashes FreeBSD4.8
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    freebsd-bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Thu Jul 10 01:20:21 PDT 2003
>Closed-Date:
>Last-Modified:
>Originator:     Nigel Horne
>Release:        FreeBSD 4.8-RELEASE i386
>Organization:
NJH Music
>Environment:
System: FreeBSD gsec1.itac-uk.com 4.8-RELEASE FreeBSD 4.8-RELEASE #0: Wed Jul 
9 13:46:32 BST 2003 njh at dev.itac.local:/usr/obj/usr/src/sys/NJHKERNEL i386




        IBM, FreeBSD4.8
>Description:

        A simple perl program (see attached) causes a kernel page fault
>How-To-Repeat:
#!/usr/bin/perl -wT

# To be run as root under FreeBSD
# First do: ipfw add divert 9999 tcp from any to <ip> 3994
# Where <ip> is the IP address of the prodigy, e.g. 192.168.3.40
# You may need to reconfigure BSD first to support ipfw:
# options         IPFIREWALL
# options         IPDIVERT
# options         IPFIREWALL_FORWARD
# options         IPFIREWALL_VERBOSE
# options         IPFIREWALL_VERBOSE_LIMIT=100
# options         IPFIREWALL_DEFAULT_TO_ACCEPT
# options         IPFILTER
# options         IPFILTER_LOG
# options         TCPDEBUG
# options         TCP_DROP_SYNFIN
# options         ICMP_BANDLIM
# options         DUMMYNET
# options         IPSTEALTH
#
# Then try telnet 192.168.3.40 3994, sit back and watch the output

use strict;
use Net::Divert;
use NetPacket::IP;
use NetPacket::TCP;

my $ipFilter = Net::Divert->new('dev.gsec1.local', 9999);

$ipFilter->getPackets(\&handler);

sub handler {
        my($packet, $fwtag) = @_;

        my $ip = NetPacket::IP->decode($packet);

        if($ip->{proto} == NetPacket::IP->IP_PROTO_TCP) {
                my $tcp = NetPacket::TCP->decode($ip->{data});

                print "source " . $tcp->{src_port} . " dest " . 
$tcp->{dest_port} . "\n";

                # $tcp->{flags} |= SYN;
                # $tcp->{flags} &= ~ACK;

                # $tcp->{seqnum} = 0;

                $tcp->{data} = 'x' x 65535;

                $ip->{data} = $tcp->encode($ip);

                $packet = $ip->encode;

        }
        $ipFilter->putPacket($packet, $fwtag);
}
>Fix:

-- 
Nigel Horne. Arranger, Composer, Conductor, Typesetter.
Owner of the brass band group of the Internet. ICQ#20252325
njh at bandsman.co.uk http://www.bandsman.co.uk/music.htm
>Release-Note:
>Audit-Trail:
>Unformatted: