From nobody@FreeBSD.org  Wed Apr  7 18:25:03 2010
Return-Path: <nobody@FreeBSD.org>
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 65A0D1065688
	for <freebsd-gnats-submit@FreeBSD.org>; Wed,  7 Apr 2010 18:25:03 +0000 (UTC)
	(envelope-from nobody@FreeBSD.org)
Received: from www.freebsd.org (www.freebsd.org [IPv6:2001:4f8:fff6::21])
	by mx1.freebsd.org (Postfix) with ESMTP id 553508FC0C
	for <freebsd-gnats-submit@FreeBSD.org>; Wed,  7 Apr 2010 18:25:03 +0000 (UTC)
Received: from www.freebsd.org (localhost [127.0.0.1])
	by www.freebsd.org (8.14.3/8.14.3) with ESMTP id o37IP2WC090764
	for <freebsd-gnats-submit@FreeBSD.org>; Wed, 7 Apr 2010 18:25:02 GMT
	(envelope-from nobody@www.freebsd.org)
Received: (from nobody@localhost)
	by www.freebsd.org (8.14.3/8.14.3/Submit) id o37IP2cx090763;
	Wed, 7 Apr 2010 18:25:02 GMT
	(envelope-from nobody)
Message-Id: <201004071825.o37IP2cx090763@www.freebsd.org>
Date: Wed, 7 Apr 2010 18:25:02 GMT
From: Aleksey <otim@mail.ru>
To: freebsd-gnats-submit@FreeBSD.org
Subject: [patch] panic kernel when ng_ipfw send ip package on not existing netgraph node
X-Send-Pr-Version: www-3.1
X-GNATS-Notify:

>Number:         145462
>Category:       kern
>Synopsis:       [netgraph] [patch] panic kernel when ng_ipfw send ip package on not existing netgraph node
>Confidential:   no
>Severity:       non-critical
>Priority:       low
>Responsible:    glebius
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Wed Apr 07 18:30:03 UTC 2010
>Closed-Date:    Thu Jul 08 12:34:40 UTC 2010
>Last-Modified:  Thu Jul 08 12:34:40 UTC 2010
>Originator:     Aleksey
>Release:        7.3-RELEASE
>Organization:
MKC
>Environment:
FreeBSD nas2.test 7.3-RELEASE FreeBSD 7.3-RELEASE #2: Wed Apr  7 01:12:12 OMSST 2010     root@nas2.test:/usr/obj/usr/src/sys/GW  i386

>Description:
When ng_ipfw send ip package on not existing netgraph node, package must is rejected. Dead node, causes panic a kernel, at issues of the package in it.
>How-To-Repeat:
ipfw add 1 netgraph 1 all from me to any
ping 127.0.0.1
>Fix:
--- /usr/src/sys/netgraph/ng_ipfw.c.orig        2010-02-10 06:26:20.000000000 +0600
+++ /usr/src/sys/netgraph/ng_ipfw.c     2010-04-08 01:13:31.000000000 +0700
@@ -271,8 +271,10 @@
         */
        if (fw_node == NULL ||
           (hook = ng_ipfw_findhook1(fw_node, fwa->cookie)) == NULL) {
-               if (tee == 0)
+               if (tee == 0) {
                        m_freem(*m0);
+                       *m0 = NULL;
+               }
                return (ESRCH);         /* no hook associated with this rule */
        }


>Release-Note:
>Audit-Trail:
Responsible-Changed-From-To: freebsd-bugs->freebsd-net 
Responsible-Changed-By: linimon 
Responsible-Changed-When: Wed Apr 7 20:44:55 UTC 2010 
Responsible-Changed-Why:  
Over to maintainer(s). 

http://www.freebsd.org/cgi/query-pr.cgi?pr=145462 

From: Gleb Smirnoff <glebius@FreeBSD.org>
To: Aleksey <otim@mail.ru>
Cc: bug-followup@FreeBSD.org
Subject: Re: kern/145462
Date: Tue, 13 Apr 2010 15:36:58 +0400

  IMO, this patch would be better:
 
 Index: ng_ipfw.c
 ===================================================================
 --- ng_ipfw.c   (revision 206495)
 +++ ng_ipfw.c   (working copy)
 @@ -264,11 +264,8 @@
          * Node must be loaded and corresponding hook must be present.
          */
         if (fw_node == NULL || 
 -          (hook = ng_ipfw_findhook1(fw_node, fwa->rule.info)) == NULL) {
 -               if (tee == 0)
 -                       m_freem(*m0);
 +          (hook = ng_ipfw_findhook1(fw_node, fwa->rule.info)) == NULL)
                 return (ESRCH);         /* no hook associated with this rule */
 -       }
  
         /*
          * We have two modes: in normal mode we add a tag to packet, which is
 
 
 Can you please test it and if you don't mind I will commit it.
 
 -- 
 Totus tuus, Glebius.

Date: Thu, 15 Apr 2010 08:47:11 +0400
From: Alex Novikov <otim@mail.ru>
Reply-To: Alex Novikov <otim@mail.ru>
To: bug-followup@FreeBSD.org,
	otim@mail.ru
Subject: Re: kern/145462: [netgraph] [patch] panic kernel when ng_ipfw send ip package on not existing netgraph node

 Probably the code is correct. However means ipfw it is impossible to
 define has passed a package through netgraph or not. If the package
 returns in ipfw, it is difficult to find out a problem.

 Historically, netgraph node rejects packages transferred in a direction
 empty hook. It is impossible to change logic without the reasons.
 
 man ng_ipfw
 >Packets are sent out of the hook whose name equals the cookie value.
 >If no hook matches, packets are discarded.
State-Changed-From-To: open->patched 
State-Changed-By: glebius 
State-Changed-When: Tue Jul 6 10:35:17 UTC 2010 
State-Changed-Why:  
Fixed in head/. 


Responsible-Changed-From-To: freebsd-net->glebius 
Responsible-Changed-By: glebius 
Responsible-Changed-When: Tue Jul 6 10:35:17 UTC 2010 
Responsible-Changed-Why:  
Fixed in head/. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=145462 

From: dfilter@FreeBSD.ORG (dfilter service)
To: bug-followup@FreeBSD.org
Cc:  
Subject: Re: kern/145462: commit references a PR
Date: Tue,  6 Jul 2010 10:45:51 +0000 (UTC)

 Author: glebius
 Date: Tue Jul  6 10:45:38 2010
 New Revision: 209722
 URL: http://svn.freebsd.org/changeset/base/209722
 
 Log:
   Avoid double-free. In error cases ipfw(4) frees the mbuf(4), we don't
   need to.
   
   PR:		kern/145462
 
 Modified:
   head/sys/netgraph/ng_ipfw.c
 
 Modified: head/sys/netgraph/ng_ipfw.c
 ==============================================================================
 --- head/sys/netgraph/ng_ipfw.c	Tue Jul  6 10:28:19 2010	(r209721)
 +++ head/sys/netgraph/ng_ipfw.c	Tue Jul  6 10:45:38 2010	(r209722)
 @@ -265,11 +265,8 @@ ng_ipfw_input(struct mbuf **m0, int dir,
  	 * Node must be loaded and corresponding hook must be present.
  	 */
  	if (fw_node == NULL || 
 -	   (hook = ng_ipfw_findhook1(fw_node, fwa->rule.info)) == NULL) {
 -		if (tee == 0)
 -			m_freem(*m0);
 +	   (hook = ng_ipfw_findhook1(fw_node, fwa->rule.info)) == NULL)
  		return (ESRCH);		/* no hook associated with this rule */
 -	}
  
  	/*
  	 * We have two modes: in normal mode we add a tag to packet, which is
 _______________________________________________
 svn-src-all@freebsd.org mailing list
 http://lists.freebsd.org/mailman/listinfo/svn-src-all
 To unsubscribe, send any mail to "svn-src-all-unsubscribe@freebsd.org"
 

From: dfilter@FreeBSD.ORG (dfilter service)
To: bug-followup@FreeBSD.org
Cc:  
Subject: Re: kern/145462: commit references a PR
Date: Thu,  8 Jul 2010 12:22:24 +0000 (UTC)

 Author: glebius
 Date: Thu Jul  8 12:21:25 2010
 New Revision: 209796
 URL: http://svn.freebsd.org/changeset/base/209796
 
 Log:
   Merge 209633, 209722 from head:
   
     The struct ipfw_rule_ref follows the struct m_tag. Deal with this
     correctly. This fixes breakage of ng_ipfw(4) in r201527.
   
   Submitted by:	Alexander Zagrebin <alexz visp.ru>
   
     Avoid double-free. In error cases ipfw(4) frees the mbuf(4), we don't
     need to.
   
   PR:		kern/145462
 
 Modified:
   stable/8/sys/netgraph/ng_ipfw.c
 
 Modified: stable/8/sys/netgraph/ng_ipfw.c
 ==============================================================================
 --- stable/8/sys/netgraph/ng_ipfw.c	Thu Jul  8 12:20:15 2010	(r209795)
 +++ stable/8/sys/netgraph/ng_ipfw.c	Thu Jul  8 12:21:25 2010	(r209796)
 @@ -221,20 +221,21 @@ ng_ipfw_findhook1(node_p node, u_int16_t
  static int
  ng_ipfw_rcvdata(hook_p hook, item_p item)
  {
 -	struct ipfw_rule_ref	*tag;
 +	struct m_tag *tag;
 +	struct ipfw_rule_ref *r;
  	struct mbuf *m;
  
  	NGI_GET_M(item, m);
  	NG_FREE_ITEM(item);
  
 -	tag = (struct ipfw_rule_ref *)
 -		m_tag_locate(m, MTAG_IPFW_RULE, 0, NULL);
 +	tag = m_tag_locate(m, MTAG_IPFW_RULE, 0, NULL);
  	if (tag == NULL) {
  		NG_FREE_M(m);
  		return (EINVAL);	/* XXX: find smth better */
  	};
  
 -	if (tag->info & IPFW_INFO_IN) {
 +	r = (struct ipfw_rule_ref *)(tag + 1);
 +	if (r->info & IPFW_INFO_IN) {
  		ip_input(m);
  		return (0);
  	} else {
 @@ -264,11 +265,8 @@ ng_ipfw_input(struct mbuf **m0, int dir,
  	 * Node must be loaded and corresponding hook must be present.
  	 */
  	if (fw_node == NULL || 
 -	   (hook = ng_ipfw_findhook1(fw_node, fwa->rule.info)) == NULL) {
 -		if (tee == 0)
 -			m_freem(*m0);
 +	   (hook = ng_ipfw_findhook1(fw_node, fwa->rule.info)) == NULL)
  		return (ESRCH);		/* no hook associated with this rule */
 -	}
  
  	/*
  	 * We have two modes: in normal mode we add a tag to packet, which is
 _______________________________________________
 svn-src-all@freebsd.org mailing list
 http://lists.freebsd.org/mailman/listinfo/svn-src-all
 To unsubscribe, send any mail to "svn-src-all-unsubscribe@freebsd.org"
 
State-Changed-From-To: patched->closed 
State-Changed-By: glebius 
State-Changed-When: Thu Jul 8 12:34:26 UTC 2010 
State-Changed-Why:  
Fixed in releng/8. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=145462 
>Unformatted:
