svn commit: r272089 - head/sys/netpfil/ipfw
Adrian Chadd
adrian at freebsd.org
Thu Sep 25 02:40:26 UTC 2014
Hm, I saw this from Kate on IRC. Did anyone figure out _where_ these
frames are coming from?
Just dropping them is cool, but I'd really like to see the contents of
the frames and what their origin is.
I'm worried that they're valid stack-generated frames..
-a
On 24 September 2014 19:26, Sean Bruno <sbruno at freebsd.org> wrote:
> Author: sbruno
> Date: Thu Sep 25 02:26:05 2014
> New Revision: 272089
> URL: http://svnweb.freebsd.org/changeset/base/272089
>
> Log:
> Fix NULL pointer deref in ipfw when using dummynet at layer 2.
> Drop packet if pkg->ifp is NULL, which is the case here.
>
> ref. https://github.com/HardenedBSD/hardenedBSD
> commit 4eef3881c64f6e3aa38eebbeaf27a947a5d47dd7
>
> PR 193861 -- DUMMYNET LAYER2: kernel panic
>
> in this case a kernel panic occurs. Hence, when we do not get an interface,
> we just drop the packet in question.
>
> PR: 193681
> Submitted by: David Carlier <david.carlier at hardenedbsd.org>
> Obtained from: Hardened BSD
> MFC after: 2 weeks
> Relnotes: yes
>
> Modified:
> head/sys/netpfil/ipfw/ip_dn_io.c
>
> Modified: head/sys/netpfil/ipfw/ip_dn_io.c
> ==============================================================================
> --- head/sys/netpfil/ipfw/ip_dn_io.c Wed Sep 24 22:58:10 2014 (r272088)
> +++ head/sys/netpfil/ipfw/ip_dn_io.c Thu Sep 25 02:26:05 2014 (r272089)
> @@ -751,10 +751,15 @@ dummynet_send(struct mbuf *m)
> /* extract the dummynet info, rename the tag
> * to carry reinject info.
> */
> - dst = pkt->dn_dir;
> - ifp = pkt->ifp;
> - tag->m_tag_cookie = MTAG_IPFW_RULE;
> - tag->m_tag_id = 0;
> + if (pkt->dn_dir == (DIR_OUT | PROTO_LAYER2) &&
> + pkt->ifp == NULL) {
> + dst = DIR_DROP;
> + } else {
> + dst = pkt->dn_dir;
> + ifp = pkt->ifp;
> + tag->m_tag_cookie = MTAG_IPFW_RULE;
> + tag->m_tag_id = 0;
> + }
> }
>
> switch (dst) {
>
More information about the svn-src-all
mailing list