From des@des.thinksec.com  Thu Dec 13 09:15:52 2001
Return-Path: <des@des.thinksec.com>
Received: from mx1.thinksec.com (time.thinksec.com [193.212.248.2])
	by hub.freebsd.org (Postfix) with ESMTP id BF3F837B405
	for <FreeBSD-gnats-submit@freebsd.org>; Thu, 13 Dec 2001 09:15:51 -0800 (PST)
Received: from des.thinksec.com (213-145-188-14.dd.nextgentel.com [213.145.188.14])
	by mx1.thinksec.com (Postfix) with ESMTP id 5154A480A6
	for <FreeBSD-gnats-submit@freebsd.org>; Thu, 13 Dec 2001 18:15:50 +0100 (CET)
Received: by des.thinksec.com (Postfix, from userid 2602)
	id C603D57C3; Thu, 13 Dec 2001 12:40:15 +0100 (CET)
Message-Id: <20011213114015.C603D57C3@des.thinksec.com>
Date: Thu, 13 Dec 2001 12:40:15 +0100 (CET)
From: Dag-Erling Smorgrav <des@des.thinksec.com>
Reply-To: Dag-Erling Smorgrav <des@des.thinksec.com>
To: FreeBSD-gnats-submit@freebsd.org
Cc:
Subject: Reproducible panic in ipfw
X-Send-Pr-Version: 3.113
X-GNATS-Notify:

>Number:         32806
>Category:       kern
>Synopsis:       Reproducible panic in ipfw
>Confidential:   no
>Severity:       serious
>Priority:       high
>Responsible:    ru
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Thu Dec 13 09:20:01 PST 2001
>Closed-Date:    Sun Jan 13 23:54:43 PST 2002
>Last-Modified:  Sun Jan 13 23:55:40 PST 2002
>Originator:     Dag-Erling Smorgrav
>Release:        FreeBSD 5.0-CURRENT i386
>Organization:
>Environment:
System: FreeBSD des.thinksec.com 5.0-CURRENT FreeBSD 5.0-CURRENT #121: Wed Dec 5 11:40:09 CET 2001 des@des.thinksec.com:/usr/src/sys/i386/compile/DES i386


>Description:

If an outgoing packet originating on the local machine hits an "unreach" rule
in ipfw, a panic ensues in icmp_reflect() because there is no receiving
interface on which to transmit the ICMP unreachable.

>How-To-Repeat:

# ipfw add 1 unreach host ip from any to 10.0.0.0/8
00001 unreach host up from any to 10.0.0.0/8
# ifconfig dc0 inet 10.0.0.1 netmask 0xff000000
# telnet 10.0.0.2
Trying 10.0.0.2...
panic: icmp_reflect: NULL rcvif

The panic comes from the KASSERT on line 612 of sys/netinet/ip_icmp.c.

>Fix:

The code directly above the KASSERT already handles the case where the packet
that triggers the rule is destined for a local address.  Similar code should
be added to handle the case where the source address is a local address.


>Release-Note:
>Audit-Trail:
Responsible-Changed-From-To: freebsd-bugs->ru 
Responsible-Changed-By: sheldonh 
Responsible-Changed-When: Sun Dec 30 04:31:25 PST 2001 
Responsible-Changed-Why:  
Ruslan, can you take a look at this one? 

http://www.FreeBSD.org/cgi/query-pr.cgi?pr=32806 

From: Maxim Konovalov <maxim@macomnet.ru>
To: Dag-Erling Smorgrav <des@des.thinksec.com>
Cc: FreeBSD-gnats-submit@FreeBSD.ORG
Subject: Re: kern/32806: Reproducible panic in ipfw
Date: Tue, 1 Jan 2002 00:51:18 +0300 (MSK)

 Please review the patch below:
 
 Index: ip_icmp.c
 ===================================================================
 RCS file: /home/ncvs/src/sys/netinet/ip_icmp.c,v
 retrieving revision 1.65
 diff -u -r1.65 ip_icmp.c
 --- ip_icmp.c	14 Dec 2001 19:32:47 -0000	1.65
 +++ ip_icmp.c	31 Dec 2001 21:47:47 -0000
 @@ -601,14 +601,23 @@
  	t = ip->ip_dst;
  	ip->ip_dst = ip->ip_src;
  	/*
 -	 * If the incoming packet was addressed directly to us,
 -	 * use dst as the src for the reply.  Otherwise (broadcast
 -	 * or anonymous), use the address which corresponds
 -	 * to the incoming interface.
 +	 * The incoming packet was addressed directly to us,
 +	 * use dst as the src for the reply.
  	 */
  	LIST_FOREACH(ia, INADDR_HASH(t.s_addr), ia_hash)
  		if (t.s_addr == IA_SIN(ia)->sin_addr.s_addr)
  			goto match;
 +	/*
 +	 * Our outgoing packet hits an "unreach" ipfw rule,
 +	 * use src as the src for the reply.
 +	 */
 +	LIST_FOREACH(ia, INADDR_HASH(ip->ip_src.s_addr), ia_hash)
 +		if (ip->ip_src.s_addr == IA_SIN(ia)->sin_addr.s_addr)
 +			goto match;
 +	/*
 +	 * The incoming packet is a broadcast or anonymous, use
 +	 * the address which corresponds to the incoming interface.
 +	 */
  	KASSERT(m->m_pkthdr.rcvif != NULL, ("icmp_reflect: NULL rcvif"));
  	if (m->m_pkthdr.rcvif->if_flags & IFF_BROADCAST) {
  		TAILQ_FOREACH(ifa, &m->m_pkthdr.rcvif->if_addrhead, ifa_link) {
 
 -- 
 Maxim Konovalov, MAcomnet, Internet-Intranet Dept., system engineer
 phone: +7 (095) 796-9079, mailto: maxim@macomnet.ru
 

From: Ruslan Ermilov <ru@FreeBSD.org>
To: Maxim Konovalov <maxim@macomnet.ru>
Cc: bug-followup@FreeBSD.org, Luigi Rizzo <luigi@FreeBSD.org>,
	Dag-Erling Smorgrav <des@FreeBSD.org>,
	Sheldon Hearn <sheldonh@FreeBSD.org>,
	Erwin Lansing <erwin@lansing.dk>, re@FreeBSD.org
Subject: Re: kern/32806: Reproducible panic in ipfw
Date: Fri, 11 Jan 2002 12:56:25 +0200

 On Tue, Jan 01, 2002 at 05:29:38PM +0300, Maxim Konovalov wrote:
 > 
 > Hello,
 > 
 > Luigi and Ruslan, could you please review the patch?
 > 
 I have a much simpler solution to this problem.
 
 Index: ip_icmp.c
 ===================================================================
 RCS file: /home/ncvs/src/sys/netinet/ip_icmp.c,v
 retrieving revision 1.65
 diff -u -p -r1.65 ip_icmp.c
 --- ip_icmp.c	2001/12/14 19:32:47	1.65
 +++ ip_icmp.c	2002/01/11 10:50:08
 @@ -609,8 +609,8 @@ icmp_reflect(m)
  	LIST_FOREACH(ia, INADDR_HASH(t.s_addr), ia_hash)
  		if (t.s_addr == IA_SIN(ia)->sin_addr.s_addr)
  			goto match;
 -	KASSERT(m->m_pkthdr.rcvif != NULL, ("icmp_reflect: NULL rcvif"));
 -	if (m->m_pkthdr.rcvif->if_flags & IFF_BROADCAST) {
 +	if (m->m_pkthdr.rcvif != NULL &&
 +	    m->m_pkthdr.rcvif->if_flags & IFF_BROADCAST) {
  		TAILQ_FOREACH(ifa, &m->m_pkthdr.rcvif->if_addrhead, ifa_link) {
  			if (ifa->ifa_addr->sa_family != AF_INET)
  				continue;
 
 The case that causes a panic condition is then handled by
 a routing table lookup below.  I think that this KASSERT()
 was bogus in the first place.
 
 The same patch applies cleanly to -STABLE as well.
 
 I'd also like to MFC this change ASAP, hence the re@ CC:ed.
 
 
 Cheers,
 -- 
 Ruslan Ermilov		Oracle Developer/DBA,
 ru@sunbay.com		Sunbay Software AG,
 ru@FreeBSD.org		FreeBSD committer,
 +380.652.512.251	Simferopol, Ukraine
 
 http://www.FreeBSD.org	The Power To Serve
 http://www.oracle.com	Enabling The Information Age

From: Luigi Rizzo <luigi@FreeBSD.org>
To: Ruslan Ermilov <ru@FreeBSD.org>
Cc: Maxim Konovalov <maxim@macomnet.ru>, bug-followup@FreeBSD.org,
	Dag-Erling Smorgrav <des@FreeBSD.org>,
	Sheldon Hearn <sheldonh@FreeBSD.org>,
	Erwin Lansing <erwin@lansing.dk>, re@FreeBSD.org
Subject: Re: kern/32806: Reproducible panic in ipfw
Date: Fri, 11 Jan 2002 03:00:32 -0800

 fine with me
 
 	luigi
 
 On Fri, Jan 11, 2002 at 12:56:25PM +0200, Ruslan Ermilov wrote:
 > On Tue, Jan 01, 2002 at 05:29:38PM +0300, Maxim Konovalov wrote:
 > > 
 > > Hello,
 > > 
 > > Luigi and Ruslan, could you please review the patch?
 > > 
 > I have a much simpler solution to this problem.
 > 
 > Index: ip_icmp.c
 > ===================================================================
 > RCS file: /home/ncvs/src/sys/netinet/ip_icmp.c,v
 > retrieving revision 1.65
 > diff -u -p -r1.65 ip_icmp.c
 > --- ip_icmp.c	2001/12/14 19:32:47	1.65
 > +++ ip_icmp.c	2002/01/11 10:50:08
 > @@ -609,8 +609,8 @@ icmp_reflect(m)
 >  	LIST_FOREACH(ia, INADDR_HASH(t.s_addr), ia_hash)
 >  		if (t.s_addr == IA_SIN(ia)->sin_addr.s_addr)
 >  			goto match;
 > -	KASSERT(m->m_pkthdr.rcvif != NULL, ("icmp_reflect: NULL rcvif"));
 > -	if (m->m_pkthdr.rcvif->if_flags & IFF_BROADCAST) {
 > +	if (m->m_pkthdr.rcvif != NULL &&
 > +	    m->m_pkthdr.rcvif->if_flags & IFF_BROADCAST) {
 >  		TAILQ_FOREACH(ifa, &m->m_pkthdr.rcvif->if_addrhead, ifa_link) {
 >  			if (ifa->ifa_addr->sa_family != AF_INET)
 >  				continue;
 > 
 > The case that causes a panic condition is then handled by
 > a routing table lookup below.  I think that this KASSERT()
 > was bogus in the first place.
 > 
 > The same patch applies cleanly to -STABLE as well.
 > 
 > I'd also like to MFC this change ASAP, hence the re@ CC:ed.
 > 
 > 
 > Cheers,
 > -- 
 > Ruslan Ermilov		Oracle Developer/DBA,
 > ru@sunbay.com		Sunbay Software AG,
 > ru@FreeBSD.org		FreeBSD committer,
 > +380.652.512.251	Simferopol, Ukraine
 > 
 > http://www.FreeBSD.org	The Power To Serve
 > http://www.oracle.com	Enabling The Information Age

From: Maxim Konovalov <maxim@macomnet.ru>
To: Ruslan Ermilov <ru@FreeBSD.org>
Cc: bug-followup@FreeBSD.org, Luigi Rizzo <luigi@FreeBSD.org>,
	Dag-Erling Smorgrav <des@FreeBSD.org>,
	Sheldon Hearn <sheldonh@FreeBSD.org>,
	Erwin Lansing <erwin@lansing.dk>, <re@FreeBSD.org>
Subject: Re: kern/32806: Reproducible panic in ipfw
Date: Fri, 11 Jan 2002 14:15:19 +0300 (MSK)

 On 12:56+0200, Jan 11, 2002, Ruslan Ermilov wrote:
 
 > On Tue, Jan 01, 2002 at 05:29:38PM +0300, Maxim Konovalov wrote:
 > >
 > > Hello,
 > >
 > > Luigi and Ruslan, could you please review the patch?
 > >
 > I have a much simpler solution to this problem.
 
 Yep, it is better than mine.
 
 > Index: ip_icmp.c
 > ===================================================================
 > RCS file: /home/ncvs/src/sys/netinet/ip_icmp.c,v
 > retrieving revision 1.65
 > diff -u -p -r1.65 ip_icmp.c
 > --- ip_icmp.c	2001/12/14 19:32:47	1.65
 > +++ ip_icmp.c	2002/01/11 10:50:08
 > @@ -609,8 +609,8 @@ icmp_reflect(m)
 >  	LIST_FOREACH(ia, INADDR_HASH(t.s_addr), ia_hash)
 >  		if (t.s_addr == IA_SIN(ia)->sin_addr.s_addr)
 >  			goto match;
 > -	KASSERT(m->m_pkthdr.rcvif != NULL, ("icmp_reflect: NULL rcvif"));
 > -	if (m->m_pkthdr.rcvif->if_flags & IFF_BROADCAST) {
 > +	if (m->m_pkthdr.rcvif != NULL &&
 > +	    m->m_pkthdr.rcvif->if_flags & IFF_BROADCAST) {
 >  		TAILQ_FOREACH(ifa, &m->m_pkthdr.rcvif->if_addrhead, ifa_link) {
 >  			if (ifa->ifa_addr->sa_family != AF_INET)
 >  				continue;
 >
 > The case that causes a panic condition is then handled by
 > a routing table lookup below.  I think that this KASSERT()
 > was bogus in the first place.
 >
 > The same patch applies cleanly to -STABLE as well.
 >
 > I'd also like to MFC this change ASAP, hence the re@ CC:ed.
 >
 >
 > Cheers,
 >
 
 -- 
 Maxim Konovalov, MAcomnet, Internet-Intranet Dept., system engineer
 phone: +7 (095) 796-9079, mailto: maxim@macomnet.ru
 

From: Erwin Lansing <erwin@lansing.dk>
To: Ruslan Ermilov <ru@FreeBSD.org>
Cc: Maxim Konovalov <maxim@macomnet.ru>, bug-followup@FreeBSD.org,
	Luigi Rizzo <luigi@FreeBSD.org>,
	Dag-Erling Smorgrav <des@FreeBSD.org>,
	Sheldon Hearn <sheldonh@FreeBSD.org>,
	Erwin Lansing <erwin@lansing.dk>, re@FreeBSD.org
Subject: Re: kern/32806: Reproducible panic in ipfw
Date: Fri, 11 Jan 2002 12:48:36 +0100

 On Fri, Jan 11, 2002 at 12:56:25PM +0200, Ruslan Ermilov wrote:
 > On Tue, Jan 01, 2002 at 05:29:38PM +0300, Maxim Konovalov wrote:
 > > 
 > > Hello,
 
 Hep,
 
 > > 
 > > Luigi and Ruslan, could you please review the patch?
 > > 
 > I have a much simpler solution to this problem.
 > 
 [snip patch]
 > 
 > The case that causes a panic condition is then handled by
 > a routing table lookup below.  I think that this KASSERT()
 > was bogus in the first place.
 > 
 > The same patch applies cleanly to -STABLE as well.
 > 
 > I'd also like to MFC this change ASAP, hence the re@ CC:ed.
 > 
 This new patch works like a charm
 
 /erwin
 
 -- 
 Erwin Lansing 		-- 		http://droso.org
 
 I love deadlines.                       -- Douglas Adams
 I love the whooshing sound they make as the fly by.
State-Changed-From-To: open->feedback 
State-Changed-By: ru 
State-Changed-When: Fri Jan 11 04:15:15 PST 2002 
State-Changed-Why:  
Fix committed into 5.0-CURRENT (sys/netinet/ip_icmp.c,v 1.66). 

Awaiting approval from re@ to MFC. 

http://www.FreeBSD.org/cgi/query-pr.cgi?pr=32806 
State-Changed-From-To: feedback->closed 
State-Changed-By: ru 
State-Changed-When: Sun Jan 13 23:54:43 PST 2002 
State-Changed-Why:  
Fixed in 4.5-RC, src/sys/netinet/ip_icmp.c,v 1.39.2.14. 

http://www.FreeBSD.org/cgi/query-pr.cgi?pr=32806 
>Unformatted:
