From nobody@FreeBSD.org  Wed Sep 12 09:50:07 2001
Return-Path: <nobody@FreeBSD.org>
Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21])
	by hub.freebsd.org (Postfix) with ESMTP id 972F337B406
	for <freebsd-gnats-submit@FreeBSD.org>; Wed, 12 Sep 2001 09:50:07 -0700 (PDT)
Received: (from nobody@localhost)
	by freefall.freebsd.org (8.11.4/8.11.4) id f8CGo7D55328;
	Wed, 12 Sep 2001 09:50:07 -0700 (PDT)
	(envelope-from nobody)
Message-Id: <200109121650.f8CGo7D55328@freefall.freebsd.org>
Date: Wed, 12 Sep 2001 09:50:07 -0700 (PDT)
From: Lars Eggert <larse@isi.edu>
To: freebsd-gnats-submit@FreeBSD.org
Subject: 4.4-RC4: panic in icmp_reflect [WITH PATCH]
X-Send-Pr-Version: www-1.0

>Number:         30524
>Category:       kern
>Synopsis:       4.4-RC4: panic in icmp_reflect [WITH PATCH]
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    dd
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Wed Sep 12 10:00:01 PDT 2001
>Closed-Date:    Tue Nov 27 12:03:29 PST 2001
>Last-Modified:  Tue Nov 27 12:03:48 PST 2001
>Originator:     Lars Eggert
>Release:        4.4-RC4
>Organization:
USC/ISI
>Environment:
FreeBSD keg.isi.edu 4.4-RC FreeBSD 4.4-RC #7: Wed Sep 12 09:07:45 PDT 2001     root@keg.isi.edu:/usr/src/sys/compile/KERNEL  i386

>Description:
My 4.4-RC4 kernel occasionally panics in icmp_reflect() at line 644.
Here's the relevant code:

	/*
	 * The following happens if the packet was not addressed to us,
	 * and was received on an interface with no IP address.
	 */
	if (ia == (struct in_ifaddr *)0)
		ia = in_ifaddrhead.tqh_first;
	t = IA_SIN(ia)->sin_addr;

The intention here is to find a valid local IP address to send the
ICMP message from.

The problem is that in_ifaddrhead.tqh_first can be zero (at least in
some cases), and dereferencing in the line following the assignment
causes a kernel panic.

The patch below fixes this, by not simply using the first local
IP address in the TAILQ, but iterating over it until a non-zero one
is found. Also, it skips sending the ICMP message when no valid
address is found in the TAILQ at all.

This bug may be triggered by a custom startup script in use here
at ISI, which uses ARP requests very early in the boot process (after
pccardd is started) to determine the network location of the machine
is at, and configuring it appropriately.
>How-To-Repeat:

>Fix:
--- plain       Wed Sep 12 09:47:58 2001
+++ ip_icmp.c   Wed Sep 12 09:37:54 2001
@@ -639,9 +639,26 @@
        /*
         * The following happens if the packet was not addressed to us,
         * and was received on an interface with no IP address.
+        *
+        * Prior versions simply set ia = in_ifaddrhead.tqh_first if it
+        * was zero here. When in_ifaddrhead.tqh_first is also zero
+        * (pointer gets dereferenced below), the kernel panics. It looks
+        * like this can happen with PC-card interfaces, but I have not
+        * investigated this fully.
+        *
+        * Instead, iterate over the TAILQ to find the first non-zero
+        * interface address, and use that. If none can be found, skip
+        * sending the ICMP packet.
+        *                                              larse@isi.edu
         */
-       if (ia == (struct in_ifaddr *)0)
-               ia = in_ifaddrhead.tqh_first;
+       if (ia == (struct in_ifaddr *)0) {
+               TAILQ_FOREACH(ia, &in_ifaddrhead, ia_link)
+                       if (ia != (struct in_ifaddr *)0)
+                               break;
+               if (ia == (struct in_ifaddr *)0)
+                       /* did not find any valid interface address */
+                       goto done;
+       }
        t = IA_SIN(ia)->sin_addr;
        ip->ip_src = t;
        ip->ip_ttl = ip_defttl;

>Release-Note:
>Audit-Trail:

From: Dima Dorfman <dima@unixfreak.org>
To: Lars Eggert <larse@isi.edu>
Cc: freebsd-gnats-submit@FreeBSD.org, wollman@freebsd.org
Subject: Re: kern/30524: 4.4-RC4: panic in icmp_reflect [WITH PATCH] 
Date: Thu, 13 Sep 2001 04:49:13 -0700

 Lars Eggert <larse@isi.edu> wrote:
 > --- plain       Wed Sep 12 09:47:58 2001
 > +++ ip_icmp.c   Wed Sep 12 09:37:54 2001
 > @@ -639,9 +639,26 @@
 >         /*
 >          * The following happens if the packet was not addressed to us,
 >          * and was received on an interface with no IP address.
 > +        *
 > +        * Prior versions simply set ia = in_ifaddrhead.tqh_first if it
 > +        * was zero here. When in_ifaddrhead.tqh_first is also zero
 > +        * (pointer gets dereferenced below), the kernel panics. It looks
 > +        * like this can happen with PC-card interfaces, but I have not
 > +        * investigated this fully.
 > +        *
 > +        * Instead, iterate over the TAILQ to find the first non-zero
 > +        * interface address, and use that. If none can be found, skip
 > +        * sending the ICMP packet.
 > +        *                                              larse@isi.edu
 >          */
 > -       if (ia == (struct in_ifaddr *)0)
 > -               ia = in_ifaddrhead.tqh_first;
 > +       if (ia == (struct in_ifaddr *)0) {
 > +               TAILQ_FOREACH(ia, &in_ifaddrhead, ia_link)
 > +                       if (ia != (struct in_ifaddr *)0)
 > +                               break;
 
 This check doesn't make sense, because TAILQ_FOREACH expands
 (effectively) into:
 
 	for (ia = in_ifaddrhead.tqh_first; ia != NULL; ia = ia->tqh_next)
 		/* I might've gotten some variable names wrong here. */
 
 Thus, the if() inside it will *always* fail.  Essentially what you
 want to do is check if the TAILQ is empty, and fail otherwise.  But...
 
 Right now, the code in question assumes that if a packet gets to it,
 there must be a valid interface.  However, this assumption was broken
 in rev. 1.114 of ip_input.c, which says:
 
     ----------------------------
     revision 1.114
     date: 1999/02/09 16:55:46;  author: wollman;  state: Exp;  lines: +8 -10
     After wading in the cesspool of ip_input for an hour, I have managed to
     convince myself that nothing will break if we permit IP input while
     interface addresses are unconfigured.  (At worst, they will hit some
     ULP's PCB scan and fail if nobody is listening.)  So, remove the restriction
     that addresses must be configured before packets can be input.  Assume
     that any unicast packet we receive while unconfigured is potentially ours.
     ----------------------------
 
 Unforunately, the commit log doesn't provide any rationale for the
 change, just reassurance that it probably doesn't break anything.
 Garrett (cc'd), can you provide any insight on this?  Was your
 intention to filter down TAILQ_EMPTY(&in_ifaddrhead) checks below
 in_input, and, if so, why?  If the only recourse in this case is to
 bail out, why shouldn't it be done in in_input?  Or should this code
 try to do something else?
 
 
 > +               if (ia == (struct in_ifaddr *)0)
 > +                       /* did not find any valid interface address */
 
 You would also need to free `m' here.
 
 > +                       goto done;
 > +       }
 >         t = IA_SIN(ia)->sin_addr;
 >         ip->ip_src = t;
 >         ip->ip_ttl = ip_defttl;

From: "Lars Eggert" <larse@ISI.EDU>
To: "Dima Dorfman" <dima@unixfreak.org>
Cc: <freebsd-gnats-submit@FreeBSD.org>, <wollman@freebsd.org>
Subject: RE: kern/30524: 4.4-RC4: panic in icmp_reflect [WITH PATCH] 
Date: Thu, 13 Sep 2001 09:24:42 -0800

 This is a multi-part message in MIME format.
 
 ------=_NextPart_000_0000_01C13C35.EB994BF0
 Content-Type: text/plain;
 	charset="iso-8859-1"
 Content-Transfer-Encoding: 7bit
 
 Dima,
 
 thanks for the quick reply!
 
 > This check doesn't make sense, because TAILQ_FOREACH expands
 > (effectively) into:
 >
 > 	for (ia = in_ifaddrhead.tqh_first; ia != NULL; ia = ia->tqh_next)
 > 		/* I might've gotten some variable names wrong here. */
 >
 > Thus, the if() inside it will *always* fail.  Essentially what you
 > want to do is check if the TAILQ is empty, and fail otherwise.  But...
 
 Ooops. You're right of course.
 
 > > +               if (ia == (struct in_ifaddr *)0)
 > > +                       /* did not find any valid interface address */
 >
 > You would also need to free `m' here.
 
 Both times :-)
 
 Lars
 --
 Lars Eggert <larse@isi.edu>               Information Sciences Institute
 http://www.isi.edu/larse/              University of Southern California
 
 ------=_NextPart_000_0000_01C13C35.EB994BF0
 Content-Type: application/x-pkcs7-signature;
 	name="smime.p7s"
 Content-Transfer-Encoding: base64
 Content-Disposition: attachment;
 	filename="smime.p7s"
 
 MIAGCSqGSIb3DQEHAqCAMIACAQExCzAJBgUrDgMCGgUAMIAGCSqGSIb3DQEHAQAAoIIF5jCCArUw
 ggIeoAMCAQICAwWBRzANBgkqhkiG9w0BAQIFADCBkjELMAkGA1UEBhMCWkExFTATBgNVBAgTDFdl
 c3Rlcm4gQ2FwZTESMBAGA1UEBxMJQ2FwZSBUb3duMQ8wDQYDVQQKEwZUaGF3dGUxHTAbBgNVBAsT
 FENlcnRpZmljYXRlIFNlcnZpY2VzMSgwJgYDVQQDEx9QZXJzb25hbCBGcmVlbWFpbCBSU0EgMjAw
 MC44LjMwMB4XDTAxMDgyNDE2NDAwMFoXDTAyMDgyNDE2NDAwMFowVDEPMA0GA1UEBBMGRWdnZXJ0
 MQ0wCwYDVQQqEwRMYXJzMRQwEgYDVQQDEwtMYXJzIEVnZ2VydDEcMBoGCSqGSIb3DQEJARYNbGFy
 c2VAaXNpLmVkdTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA0AvLBsD78nxcUHeHkaMgl3b4
 qYPnfgbf8Lh+HQP8RgGMRG/Yb+vTpkGezlwt9pkJxiD11uZDy4CNNJUu3gKxKSb+zRV70O+lkwwf
 tuHoLHoH4xwo3LcQ2LGDpd+I95tUN4dfJ3TmeEcUSF50dC/SuUI4w8AlhXQ8IxrhgdayTpECAwEA
 AaNWMFQwKgYFK2UBBAEEITAfAgEAMBowGAIBBAQTTDJ1TXlmZkJOVWJOSkpjZFoyczAYBgNVHREE
 ETAPgQ1sYXJzZUBpc2kuZWR1MAwGA1UdEwEB/wQCMAAwDQYJKoZIhvcNAQECBQADgYEAheZhn0pQ
 A8zI7U2K1ZIAl11j0a1DKxnp3GtTvOUrGRB3WvYxidvdZ1kizhEsWeXU81TkNDH0DaRqtOEeu6Q2
 OhB+jeKEqY7IDAJE4/fI0e+d6PnG1hd+vEvYmsKHkmzBhPc94XUOKNWO+qVNP2NGyNI3QIDy5wX4
 fdcOo1S34r4wggMpMIICkqADAgECAgEMMA0GCSqGSIb3DQEBBAUAMIHRMQswCQYDVQQGEwJaQTEV
 MBMGA1UECBMMV2VzdGVybiBDYXBlMRIwEAYDVQQHEwlDYXBlIFRvd24xGjAYBgNVBAoTEVRoYXd0
 ZSBDb25zdWx0aW5nMSgwJgYDVQQLEx9DZXJ0aWZpY2F0aW9uIFNlcnZpY2VzIERpdmlzaW9uMSQw
 IgYDVQQDExtUaGF3dGUgUGVyc29uYWwgRnJlZW1haWwgQ0ExKzApBgkqhkiG9w0BCQEWHHBlcnNv
 bmFsLWZyZWVtYWlsQHRoYXd0ZS5jb20wHhcNMDAwODMwMDAwMDAwWhcNMDIwODI5MjM1OTU5WjCB
 kjELMAkGA1UEBhMCWkExFTATBgNVBAgTDFdlc3Rlcm4gQ2FwZTESMBAGA1UEBxMJQ2FwZSBUb3du
 MQ8wDQYDVQQKEwZUaGF3dGUxHTAbBgNVBAsTFENlcnRpZmljYXRlIFNlcnZpY2VzMSgwJgYDVQQD
 Ex9QZXJzb25hbCBGcmVlbWFpbCBSU0EgMjAwMC44LjMwMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCB
 iQKBgQDeMzKmY8cJJUU+0m54J2eBxdqIGYKXDuNEKYpjNSptcDz63K737nRvMLwzkH/5NHGgo22Y
 8cNPomXbDfpL8dbdYaX5hc1VmjUanZJ1qCeu2HL5ugL217CR3hzpq+AYA6h8Q0JQUYeDPPA5tJtU
 ihOH/7ObnUlmAC0JieyUa+mhaQIDAQABo04wTDApBgNVHREEIjAgpB4wHDEaMBgGA1UEAxMRUHJp
 dmF0ZUxhYmVsMS0yOTcwEgYDVR0TAQH/BAgwBgEB/wIBADALBgNVHQ8EBAMCAQYwDQYJKoZIhvcN
 AQEEBQADgYEAcxtvJmWL/xU0S1liiu1EvknH6A27j7kNaiYqYoQfuIdjdBxtt88aU5FL4c3mONnt
 UPQ6bDSSrOaSnG7BIwHCCafvS65y3QZn9VBvLli4tgvBUFe17BzX7xe21Yibt6KIGu05Wzl9NPy2
 lhglTWr0ncXDkS+plrgFPFL83eliA0gxggKqMIICpgIBATCBmjCBkjELMAkGA1UEBhMCWkExFTAT
 BgNVBAgTDFdlc3Rlcm4gQ2FwZTESMBAGA1UEBxMJQ2FwZSBUb3duMQ8wDQYDVQQKEwZUaGF3dGUx
 HTAbBgNVBAsTFENlcnRpZmljYXRlIFNlcnZpY2VzMSgwJgYDVQQDEx9QZXJzb25hbCBGcmVlbWFp
 bCBSU0EgMjAwMC44LjMwAgMFgUcwCQYFKw4DAhoFAKCCAWUwGAYJKoZIhvcNAQkDMQsGCSqGSIb3
 DQEHATAcBgkqhkiG9w0BCQUxDxcNMDEwOTEzMTcyNDQyWjAjBgkqhkiG9w0BCQQxFgQUmCG2P2+p
 Sef/9/LyKNf3yZzuD38wWAYJKoZIhvcNAQkPMUswSTAKBggqhkiG9w0DBzAOBggqhkiG9w0DAgIC
 AIAwBwYFKw4DAgcwDQYIKoZIhvcNAwICASgwBwYFKw4DAhowCgYIKoZIhvcNAgUwgasGCSsGAQQB
 gjcQBDGBnTCBmjCBkjELMAkGA1UEBhMCWkExFTATBgNVBAgTDFdlc3Rlcm4gQ2FwZTESMBAGA1UE
 BxMJQ2FwZSBUb3duMQ8wDQYDVQQKEwZUaGF3dGUxHTAbBgNVBAsTFENlcnRpZmljYXRlIFNlcnZp
 Y2VzMSgwJgYDVQQDEx9QZXJzb25hbCBGcmVlbWFpbCBSU0EgMjAwMC44LjMwAgMFgUcwDQYJKoZI
 hvcNAQEBBQAEgYBeEIA3/lsrJ8L83T6RIl44BRqrt7xwWNojonqFnyQTBn/d778d5T6TkAsXoYJu
 SiJ8uLyZazfk1IDLSaXd4WhtTlqNdM7oux5LzhfMHydw0GybmjgRN/thxNpjIkz01BtrWvBQnt+s
 T9hWk8QLsesfmtSvr3KTrxsWZ+JwSk1nygAAAAAAAA==
 
 ------=_NextPart_000_0000_01C13C35.EB994BF0--
 

From: Dima Dorfman <dima@unixfreak.org>
To: Garrett Wollman <wollman@khavrinen.lcs.mit.edu>
Cc: freebsd-gnats-submit@FreeBSD.ORG
Subject: Re: kern/30524: 4.4-RC4: panic in icmp_reflect [WITH PATCH] 
Date: Mon, 17 Sep 2001 02:49:31 -0700

 Garrett Wollman <wollman@khavrinen.lcs.mit.edu> wrote:
 > <<On Thu, 13 Sep 2001 04:50:02 -0700 (PDT), Dima Dorfman <dima@unixfreak.org>
 >  said:
 > 
 > >  Unforunately, the commit log doesn't provide any rationale for the
 > >  change, just reassurance that it probably doesn't break anything.
 > >  Garrett (cc'd), can you provide any insight on this?
 > 
 > The standard requires that hosts accept broadcasts and multicasts
 > while unconfigured, just as they are supposed to be able to send them
 > (with source address 0.0.0.0).  4.2BSD got this wrong.  This was one
 > of the issues in the way of correct DHCP client operation without
 > requiring BPF.
 
 Okay, please review the attached patch for the icmp case.  It's
 adpated from NetBSD, who have been using it for three years.  It fixes
 the case described in this PR and the one in 29337.
 
 Thanks.
 
 Index: ip_icmp.c
 ===================================================================
 RCS file: /ref/cvsf/src/sys/netinet/ip_icmp.c,v
 retrieving revision 1.59
 diff -u -r1.59 ip_icmp.c
 --- ip_icmp.c	3 Sep 2001 20:03:54 -0000	1.59
 +++ ip_icmp.c	17 Sep 2001 09:46:46 -0000
 @@ -624,9 +624,22 @@
  	/*
  	 * The following happens if the packet was not addressed to us,
  	 * and was received on an interface with no IP address.
 +	 * We find the first address on the first non-loopback
 +	 * interface in the hope of it having a route back to the
 +	 * source.
  	 */
  	if (ia == (struct in_ifaddr *)0)
 -		ia = TAILQ_FIRST(&in_ifaddrhead);
 +		TAILQ_FOREACH(ia, &in_ifaddrhead, ia_link)
 +			if (!(ia->ia_ifp->if_flags & IFF_LOOPBACK))
 +				break;
 +	/*
 +	 * If we still don't have an address, punt.  We probably have
 +	 * an interface up and receiving packets with no addresses.
 +	 */
 +	if (ia == (struct in_ifaddr *)0) {
 +		m_freem(m);
 +		goto done;
 +	}
  	t = IA_SIN(ia)->sin_addr;
  	ip->ip_src = t;
  	ip->ip_ttl = ip_defttl;

From: "Lars Eggert" <larse@ISI.EDU>
To: <freebsd-gnats-submit@FreeBSD.org>
Cc:  
Subject: Re: kern/30524: 4.4-RC4: panic in icmp_reflect [WITH PATCH]
Date: Mon, 17 Sep 2001 10:21:31 -0800

 This is a multi-part message in MIME format.
 
 ------=_NextPart_000_0049_01C13F62.85360760
 Content-Type: text/plain;
 	charset="iso-8859-1"
 Content-Transfer-Encoding: 7bit
 
 FWIW, here's the updated patch.
 
 --- /usr/src/sys/netinet/ip_icmp.c.orig Mon Sep 17 09:57:37 2001
 +++ /usr/src/sys/netinet/ip_icmp.c      Mon Sep 17 10:14:32 2001
 @@ -640,8 +640,13 @@
          * The following happens if the packet was not addressed to us,
          * and was received on an interface with no IP address.
          */
 -       if (ia == (struct in_ifaddr *)0)
 +       if (ia == (struct in_ifaddr *)0) {
 +               if (TAILQ_EMPTY(&in_ifaddrhead)) {
 +                       m_freem(m);     /* Cannot find interface address
 */
 +                       goto done;      /* to send ICMP packet from. */
 +               }
                 ia = in_ifaddrhead.tqh_first;
 +       }
         t = IA_SIN(ia)->sin_addr;
         ip->ip_src = t;
         ip->ip_ttl = ip_defttl;
 
 Will this issue be resolved before 4.4? Either with this patch, or with a
 better solution?
 
 Thanks,
 Lars
 --
 Lars Eggert <larse@isi.edu>               Information Sciences Institute
 http://www.isi.edu/larse/              University of Southern California
 
 ------=_NextPart_000_0049_01C13F62.85360760
 Content-Type: application/x-pkcs7-signature;
 	name="smime.p7s"
 Content-Transfer-Encoding: base64
 Content-Disposition: attachment;
 	filename="smime.p7s"
 
 MIAGCSqGSIb3DQEHAqCAMIACAQExCzAJBgUrDgMCGgUAMIAGCSqGSIb3DQEHAQAAoIIF5jCCArUw
 ggIeoAMCAQICAwWBRzANBgkqhkiG9w0BAQIFADCBkjELMAkGA1UEBhMCWkExFTATBgNVBAgTDFdl
 c3Rlcm4gQ2FwZTESMBAGA1UEBxMJQ2FwZSBUb3duMQ8wDQYDVQQKEwZUaGF3dGUxHTAbBgNVBAsT
 FENlcnRpZmljYXRlIFNlcnZpY2VzMSgwJgYDVQQDEx9QZXJzb25hbCBGcmVlbWFpbCBSU0EgMjAw
 MC44LjMwMB4XDTAxMDgyNDE2NDAwMFoXDTAyMDgyNDE2NDAwMFowVDEPMA0GA1UEBBMGRWdnZXJ0
 MQ0wCwYDVQQqEwRMYXJzMRQwEgYDVQQDEwtMYXJzIEVnZ2VydDEcMBoGCSqGSIb3DQEJARYNbGFy
 c2VAaXNpLmVkdTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA0AvLBsD78nxcUHeHkaMgl3b4
 qYPnfgbf8Lh+HQP8RgGMRG/Yb+vTpkGezlwt9pkJxiD11uZDy4CNNJUu3gKxKSb+zRV70O+lkwwf
 tuHoLHoH4xwo3LcQ2LGDpd+I95tUN4dfJ3TmeEcUSF50dC/SuUI4w8AlhXQ8IxrhgdayTpECAwEA
 AaNWMFQwKgYFK2UBBAEEITAfAgEAMBowGAIBBAQTTDJ1TXlmZkJOVWJOSkpjZFoyczAYBgNVHREE
 ETAPgQ1sYXJzZUBpc2kuZWR1MAwGA1UdEwEB/wQCMAAwDQYJKoZIhvcNAQECBQADgYEAheZhn0pQ
 A8zI7U2K1ZIAl11j0a1DKxnp3GtTvOUrGRB3WvYxidvdZ1kizhEsWeXU81TkNDH0DaRqtOEeu6Q2
 OhB+jeKEqY7IDAJE4/fI0e+d6PnG1hd+vEvYmsKHkmzBhPc94XUOKNWO+qVNP2NGyNI3QIDy5wX4
 fdcOo1S34r4wggMpMIICkqADAgECAgEMMA0GCSqGSIb3DQEBBAUAMIHRMQswCQYDVQQGEwJaQTEV
 MBMGA1UECBMMV2VzdGVybiBDYXBlMRIwEAYDVQQHEwlDYXBlIFRvd24xGjAYBgNVBAoTEVRoYXd0
 ZSBDb25zdWx0aW5nMSgwJgYDVQQLEx9DZXJ0aWZpY2F0aW9uIFNlcnZpY2VzIERpdmlzaW9uMSQw
 IgYDVQQDExtUaGF3dGUgUGVyc29uYWwgRnJlZW1haWwgQ0ExKzApBgkqhkiG9w0BCQEWHHBlcnNv
 bmFsLWZyZWVtYWlsQHRoYXd0ZS5jb20wHhcNMDAwODMwMDAwMDAwWhcNMDIwODI5MjM1OTU5WjCB
 kjELMAkGA1UEBhMCWkExFTATBgNVBAgTDFdlc3Rlcm4gQ2FwZTESMBAGA1UEBxMJQ2FwZSBUb3du
 MQ8wDQYDVQQKEwZUaGF3dGUxHTAbBgNVBAsTFENlcnRpZmljYXRlIFNlcnZpY2VzMSgwJgYDVQQD
 Ex9QZXJzb25hbCBGcmVlbWFpbCBSU0EgMjAwMC44LjMwMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCB
 iQKBgQDeMzKmY8cJJUU+0m54J2eBxdqIGYKXDuNEKYpjNSptcDz63K737nRvMLwzkH/5NHGgo22Y
 8cNPomXbDfpL8dbdYaX5hc1VmjUanZJ1qCeu2HL5ugL217CR3hzpq+AYA6h8Q0JQUYeDPPA5tJtU
 ihOH/7ObnUlmAC0JieyUa+mhaQIDAQABo04wTDApBgNVHREEIjAgpB4wHDEaMBgGA1UEAxMRUHJp
 dmF0ZUxhYmVsMS0yOTcwEgYDVR0TAQH/BAgwBgEB/wIBADALBgNVHQ8EBAMCAQYwDQYJKoZIhvcN
 AQEEBQADgYEAcxtvJmWL/xU0S1liiu1EvknH6A27j7kNaiYqYoQfuIdjdBxtt88aU5FL4c3mONnt
 UPQ6bDSSrOaSnG7BIwHCCafvS65y3QZn9VBvLli4tgvBUFe17BzX7xe21Yibt6KIGu05Wzl9NPy2
 lhglTWr0ncXDkS+plrgFPFL83eliA0gxggKqMIICpgIBATCBmjCBkjELMAkGA1UEBhMCWkExFTAT
 BgNVBAgTDFdlc3Rlcm4gQ2FwZTESMBAGA1UEBxMJQ2FwZSBUb3duMQ8wDQYDVQQKEwZUaGF3dGUx
 HTAbBgNVBAsTFENlcnRpZmljYXRlIFNlcnZpY2VzMSgwJgYDVQQDEx9QZXJzb25hbCBGcmVlbWFp
 bCBSU0EgMjAwMC44LjMwAgMFgUcwCQYFKw4DAhoFAKCCAWUwGAYJKoZIhvcNAQkDMQsGCSqGSIb3
 DQEHATAcBgkqhkiG9w0BCQUxDxcNMDEwOTE3MTgyMTMxWjAjBgkqhkiG9w0BCQQxFgQUKWWYJjlX
 cYpKBvATVKqECD1l+FIwWAYJKoZIhvcNAQkPMUswSTAKBggqhkiG9w0DBzAOBggqhkiG9w0DAgIC
 AIAwBwYFKw4DAgcwDQYIKoZIhvcNAwICASgwBwYFKw4DAhowCgYIKoZIhvcNAgUwgasGCSsGAQQB
 gjcQBDGBnTCBmjCBkjELMAkGA1UEBhMCWkExFTATBgNVBAgTDFdlc3Rlcm4gQ2FwZTESMBAGA1UE
 BxMJQ2FwZSBUb3duMQ8wDQYDVQQKEwZUaGF3dGUxHTAbBgNVBAsTFENlcnRpZmljYXRlIFNlcnZp
 Y2VzMSgwJgYDVQQDEx9QZXJzb25hbCBGcmVlbWFpbCBSU0EgMjAwMC44LjMwAgMFgUcwDQYJKoZI
 hvcNAQEBBQAEgYB0mqyibIo9c2GVNSXcjrY9lTpgnly/LIFPtbCV6nO0x2EDig7IZ+jQfiPkcQ79
 QW9o7NtpFIa1VDcPYdUkXT9VfvF9xYRGeahq59Aj7nmrzf50piksgH8oh24LIy8rxVJMVyVRvX7h
 J+69z9bETkdsuQQmHFjoSVXUYzLS71Ib+QAAAAAAAA==
 
 ------=_NextPart_000_0049_01C13F62.85360760--
 

From: Matthew Frost <matthewf@orac.frost.net>
To: freebsd-gnats-submit@FreeBSD.org
Cc:  
Subject: Re: kern/30524: 4.4-RC4: panic in icmp_reflect [WITH PATCH]
Date: Wed, 19 Sep 2001 15:27:42 +0100

 This also occurs in 4.4-RELEASE using a machine as a bridge and
 putting:
 
 net.link.ether.bridge=1
 
 in /etc/sysctl.conf which brings up the bridging before the
 network interfaces get configured.
 
 Regards, Matthew
 
 -- 
 Matthew Frost                                         http://www.frost.org/
                                                   "A Invalid argument, 10:2"
Responsible-Changed-From-To: freebsd-bugs->dd 
Responsible-Changed-By: dd 
Responsible-Changed-When: Mon Oct 1 05:45:53 PDT 2001 
Responsible-Changed-Why:  
I'm working on this. 

http://www.FreeBSD.org/cgi/query-pr.cgi?pr=30524 
State-Changed-From-To: open->closed 
State-Changed-By: dd 
State-Changed-When: Tue Nov 27 12:03:29 PST 2001 
State-Changed-Why:  
Fixed in rev. 1.63 of ip_icmp.c.  I'll MFC this after a few weeks. 
Thanks! 

http://www.FreeBSD.org/cgi/query-pr.cgi?pr=30524 
>Unformatted:
