From nobody@FreeBSD.org  Sun Jul 19 02:02:41 2009
Return-Path: <nobody@FreeBSD.org>
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 825281065670
	for <freebsd-gnats-submit@FreeBSD.org>; Sun, 19 Jul 2009 02:02:41 +0000 (UTC)
	(envelope-from nobody@FreeBSD.org)
Received: from www.freebsd.org (www.freebsd.org [IPv6:2001:4f8:fff6::21])
	by mx1.freebsd.org (Postfix) with ESMTP id 7081E8FC08
	for <freebsd-gnats-submit@FreeBSD.org>; Sun, 19 Jul 2009 02:02:41 +0000 (UTC)
	(envelope-from nobody@FreeBSD.org)
Received: from www.freebsd.org (localhost [127.0.0.1])
	by www.freebsd.org (8.14.3/8.14.3) with ESMTP id n6J22dJd003789
	for <freebsd-gnats-submit@FreeBSD.org>; Sun, 19 Jul 2009 02:02:39 GMT
	(envelope-from nobody@www.freebsd.org)
Received: (from nobody@localhost)
	by www.freebsd.org (8.14.3/8.14.3/Submit) id n6J22dqo003788;
	Sun, 19 Jul 2009 02:02:39 GMT
	(envelope-from nobody)
Message-Id: <200907190202.n6J22dqo003788@www.freebsd.org>
Date: Sun, 19 Jul 2009 02:02:39 GMT
From: Aragon Gouveia <aragon@phat.za.net>
To: freebsd-gnats-submit@FreeBSD.org
Subject: ppp(8) crashing with port 65535 in "nat port"
X-Send-Pr-Version: www-3.1
X-GNATS-Notify:

>Number:         136893
>Category:       kern
>Synopsis:       ppp(8) crashing with port 65535 in "nat port"
>Confidential:   no
>Severity:       non-critical
>Priority:       low
>Responsible:    brian
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Sun Jul 19 02:10:01 UTC 2009
>Closed-Date:    Mon Aug 10 02:03:58 UTC 2009
>Last-Modified:  Mon Aug 10 02:03:58 UTC 2009
>Originator:     Aragon Gouveia
>Release:        8.0-BETA1
>Organization:
>Environment:
FreeBSD soek.geek.sh 8.0-BETA1 FreeBSD 8.0-BETA1 #0: Sat Jul 18 01:46:02 SAST 2009     root@fuzz.geek.sh:/usr/obj/nanobsd.soek/i386/usr/src/sys/SOEK  i386
>Description:
I'm using ppp(8) to run a PPPoE session to my ISP.  I've noticed by accident that configuring it to redirect port 65535 with the "nat port" config option causes ppp to consume an ever increasing amount of memory during start up, eventually being killed by the kernel.
>How-To-Repeat:
add "nat port tcp 1.2.3.4:65535 65535" to ppp.conf

>Fix:
A variable that's the condition of a while loop is overflowing.  Quick fix:


--- usr.sbin/ppp/nat_cmd.c.orig	2009-07-19 03:50:27.000000000 +0200
+++ usr.sbin/ppp/nat_cmd.c	2009-07-19 03:50:20.000000000 +0200
@@ -184,6 +184,7 @@
                       error);
         return 1;
       }
+      if (laliasport == 65535) break;
       llocalport++;
       laliasport++;
       if (hremoteport)


>Release-Note:
>Audit-Trail:
Responsible-Changed-From-To: freebsd-bugs->freebsd-net 
Responsible-Changed-By: linimon 
Responsible-Changed-When: Sun Jul 19 03:50:16 UTC 2009 
Responsible-Changed-Why:  
Over to maintainer(s). 

http://www.freebsd.org/cgi/query-pr.cgi?pr=136893 
Responsible-Changed-From-To: freebsd-net->brian 
Responsible-Changed-By: brian 
Responsible-Changed-When: Sun Jul 19 07:15:48 UTC 2009 
Responsible-Changed-Why:  
I'll take a look at this. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=136893 
State-Changed-From-To: open->feedback 
State-Changed-By: brian 
State-Changed-When: Sun Jul 19 19:01:23 UTC 2009 
State-Changed-Why:  
Fixed in current (r195772).  I'll MFC in 3 weeks. 

Thanks for the patch (although I tweaked it slightly). 

http://www.freebsd.org/cgi/query-pr.cgi?pr=136893 

From: dfilter@FreeBSD.ORG (dfilter service)
To: bug-followup@FreeBSD.org
Cc:  
Subject: Re: kern/136893: commit references a PR
Date: Sun, 19 Jul 2009 19:01:40 +0000 (UTC)

 Author: brian
 Date: Sun Jul 19 19:01:30 2009
 New Revision: 195772
 URL: http://svn.freebsd.org/changeset/base/195772
 
 Log:
   Don't get stuck in an infinite loop comparing (short++ <= maxshort)
   
   PR:		136893
   Submitted by:	Aragon Gouveia - aragon at phat dot za dot net (mostly)
   Approved by:	re (kib)
   MFC after:	3 weeks
 
 Modified:
   head/usr.sbin/ppp/nat_cmd.c
 
 Modified: head/usr.sbin/ppp/nat_cmd.c
 ==============================================================================
 --- head/usr.sbin/ppp/nat_cmd.c	Sun Jul 19 18:37:20 2009	(r195771)
 +++ head/usr.sbin/ppp/nat_cmd.c	Sun Jul 19 19:01:30 2009	(r195772)
 @@ -175,7 +175,7 @@ nat_RedirectPort(struct cmdargs const *a
        return -1;
      }
  
 -    while (laliasport <= haliasport) {
 +    do {
        link = LibAliasRedirectPort(la, localaddr, htons(llocalport),
  				     remoteaddr, htons(lremoteport),
                                       aliasaddr, htons(laliasport),
 @@ -187,10 +187,9 @@ nat_RedirectPort(struct cmdargs const *a
          return 1;
        }
        llocalport++;
 -      laliasport++;
        if (hremoteport)
          lremoteport++;
 -    }
 +    } while (laliasport++ < haliasport);
  
      return 0;
    }
 _______________________________________________
 svn-src-all@freebsd.org mailing list
 http://lists.freebsd.org/mailman/listinfo/svn-src-all
 To unsubscribe, send any mail to "svn-src-all-unsubscribe@freebsd.org"
 
State-Changed-From-To: feedback->patched 
State-Changed-By: brian 
State-Changed-When: Mon Jul 20 16:05:36 UTC 2009 
State-Changed-Why:  
Fixed in r195772.  I'll MFC in 3 weeks. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=136893 

From: dfilter@FreeBSD.ORG (dfilter service)
To: bug-followup@FreeBSD.org
Cc:  
Subject: Re: kern/136893: commit references a PR
Date: Sun,  9 Aug 2009 18:39:37 +0000 (UTC)

 Author: brian
 Date: Sun Aug  9 18:39:23 2009
 New Revision: 196088
 URL: http://svn.freebsd.org/changeset/base/196088
 
 Log:
   MFC: Don't get stuck in an infinite loop comparing (short++ <= maxshort)
   
   PR:		136893
   Submitted by:	Aragon Gouveia - aragon at phat dot za dot net (mostly)
 
 Modified:
   stable/7/usr.sbin/ppp/   (props changed)
   stable/7/usr.sbin/ppp/nat_cmd.c
 
 Modified: stable/7/usr.sbin/ppp/nat_cmd.c
 ==============================================================================
 --- stable/7/usr.sbin/ppp/nat_cmd.c	Sun Aug  9 11:47:39 2009	(r196087)
 +++ stable/7/usr.sbin/ppp/nat_cmd.c	Sun Aug  9 18:39:23 2009	(r196088)
 @@ -173,7 +173,7 @@ nat_RedirectPort(struct cmdargs const *a
        return -1;
      }
  
 -    while (laliasport <= haliasport) {
 +    do {
        link = PacketAliasRedirectPort(localaddr, htons(llocalport),
  				     remoteaddr, htons(lremoteport),
                                       aliasaddr, htons(laliasport),
 @@ -185,10 +185,9 @@ nat_RedirectPort(struct cmdargs const *a
          return 1;
        }
        llocalport++;
 -      laliasport++;
        if (hremoteport)
          lremoteport++;
 -    }
 +    } while (laliasport++ < haliasport);
  
      return 0;
    }
 _______________________________________________
 svn-src-all@freebsd.org mailing list
 http://lists.freebsd.org/mailman/listinfo/svn-src-all
 To unsubscribe, send any mail to "svn-src-all-unsubscribe@freebsd.org"
 
State-Changed-From-To: patched->closed 
State-Changed-By: brian 
State-Changed-When: Mon Aug 10 02:03:18 UTC 2009 
State-Changed-Why:  
The fix has been merged to stable/7 - r196088 

http://www.freebsd.org/cgi/query-pr.cgi?pr=136893 
>Unformatted:
