svn commit: r272089 - head/sys/netpfil/ipfw

Thu Sep 25 11:07:13 UTC 2014

On Thu, 2014-09-25 at 09:18 +0400, Gleb Smirnoff wrote:
> On Wed, Sep 24, 2014 at 07:40:23PM -0700, Adrian Chadd wrote:
> A> Hm, I saw this from Kate on IRC. Did anyone figure out _where_ these
> A> frames are coming from?
> A> 
> A> Just dropping them is cool, but I'd really like to see the contents of
> A> the frames and what their origin is.
> A> 
> A> I'm worried that they're valid stack-generated frames..
> 
> I agree on this. Fixing NULL pointer derefs with NULL check is not
> always a right thing to do.
> 
> A> -a
> A> 
> A> 
> A> On 24 September 2014 19:26, Sean Bruno <sbruno at freebsd.org> wrote:
> A> > Author: sbruno
> A> > Date: Thu Sep 25 02:26:05 2014
> A> > New Revision: 272089
> A> > URL: http://svnweb.freebsd.org/changeset/base/272089
> A> >
> A> > Log:
> A> >   Fix NULL pointer deref in ipfw when using dummynet at layer 2.
> A> >   Drop packet if pkg->ifp is NULL, which is the case here.
> A> >
> A> >   ref. https://github.com/HardenedBSD/hardenedBSD
> A> >   commit 4eef3881c64f6e3aa38eebbeaf27a947a5d47dd7
> A> >
> A> >   PR 193861 --  DUMMYNET LAYER2: kernel panic
> A> >
> A> >   in this case a kernel panic occurs. Hence, when we do not get an interface,
> A> >   we just drop the packet in question.
> A> >
> A> >   PR:           193681
> A> >   Submitted by: David Carlier <david.carlier at hardenedbsd.org>
> A> >   Obtained from:        Hardened BSD
> A> >   MFC after:    2 weeks
> A> >   Relnotes:     yes
> A> >
> A> > Modified:
> A> >   head/sys/netpfil/ipfw/ip_dn_io.c
> A> >
> A> > Modified: head/sys/netpfil/ipfw/ip_dn_io.c
> A> > ==============================================================================
> A> > --- head/sys/netpfil/ipfw/ip_dn_io.c    Wed Sep 24 22:58:10 2014        (r272088)
> A> > +++ head/sys/netpfil/ipfw/ip_dn_io.c    Thu Sep 25 02:26:05 2014        (r272089)
> A> > @@ -751,10 +751,15 @@ dummynet_send(struct mbuf *m)
> A> >                         /* extract the dummynet info, rename the tag
> A> >                          * to carry reinject info.
> A> >                          */
> A> > -                       dst = pkt->dn_dir;
> A> > -                       ifp = pkt->ifp;
> A> > -                       tag->m_tag_cookie = MTAG_IPFW_RULE;
> A> > -                       tag->m_tag_id = 0;
> A> > +                       if (pkt->dn_dir == (DIR_OUT | PROTO_LAYER2) &&
> A> > +                               pkt->ifp == NULL) {
> A> > +                               dst = DIR_DROP;
> A> > +                       } else {
> A> > +                               dst = pkt->dn_dir;
> A> > +                               ifp = pkt->ifp;
> A> > +                               tag->m_tag_cookie = MTAG_IPFW_RULE;
> A> > +                               tag->m_tag_id = 0;
> A> > +                       }
> A> >                 }
> A> >
> A> >                 switch (dst) {
> A> >
> A> 
> 

Ok, moving off to freebsd-net.  How should we proceded with debugging
further?

sean

bcc src-all src-head