From david@bill.inty.net  Wed Jun  4 06:40:00 2003
Return-Path: <david@bill.inty.net>
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id B42BB37B401
	for <FreeBSD-gnats-submit@freebsd.org>; Wed,  4 Jun 2003 06:40:00 -0700 (PDT)
Received: from jane.inty.net (jane.inty.net [195.224.93.242])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 79E9D43F3F
	for <FreeBSD-gnats-submit@freebsd.org>; Wed,  4 Jun 2003 06:39:56 -0700 (PDT)
	(envelope-from david@bill.inty.net)
Received: from bill.inty.net (bill.inty.net [212.50.178.162])
	by jane.inty.net (8.11.6p2/8.11.6) with ESMTP id h54DdkS39767
	for <FreeBSD-gnats-submit@freebsd.org>; Wed, 4 Jun 2003 14:39:50 +0100 (BST)
Received: from bill.inty.net (localhost.inty.net [127.0.0.1])
	by bill.inty.net (8.12.3/8.12.3) with ESMTP id h54DdjLB014943
	for <FreeBSD-gnats-submit@freebsd.org>; Wed, 4 Jun 2003 14:39:45 +0100 (BST)
	(envelope-from david@bill.inty.net)
Received: (from root@localhost)
	by bill.inty.net (8.12.3/8.12.3/Submit) id h54Ddita014942;
	Wed, 4 Jun 2003 14:39:44 +0100 (BST)
Message-Id: <200306041339.h54Ddita014942@bill.inty.net>
Date: Wed, 4 Jun 2003 14:39:44 +0100 (BST)
From: David Hedley <david@bill.inty.net>
Reply-To: David Hedley <david@bill.inty.net>
To: FreeBSD-gnats-submit@freebsd.org
Cc:
Subject: occasional panic in ip_input with IPSEC
X-Send-Pr-Version: 3.113
X-GNATS-Notify:

>Number:         52935
>Category:       kern
>Synopsis:       occasional panic in ip_input with IPSEC
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    bms
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Wed Jun 04 06:40:11 PDT 2003
>Closed-Date:    Tue Dec 13 00:49:08 GMT 2005
>Last-Modified:  Tue Dec 13 00:49:08 GMT 2005
>Originator:     David Hedley
>Release:        FreeBSD 4.7-RELEASE i386
>Organization:
Inty Ltd
>Environment:
>Description:

We are seeing occasional kernel panics when using IPSEC. The panic occurs in ip_input at the following line:

         * be handled via ip_forward() and ether_output() with the loopback
         * into the stack for SIMPLEX interfaces handled by ether_output().
         */
        if (m->m_pkthdr.rcvif->if_flags & IFF_BROADCAST) {   <<<<< Panic here
                TAILQ_FOREACH(ifa, &m->m_pkthdr.rcvif->if_addrhead, ifa_link) {
                        if (ifa->ifa_addr->sa_family != AF_INET)
                                continue;
                        ia = ifatoia(ifa);


It seems that m_pkthdr.rcvif is NULL and hence the resulting deference is invalid.

>How-To-Repeat:

>Fix:

Ensure rcvif is not NULL before deferencing it:

         * be handled via ip_forward() and ether_output() with the loopback
         * into the stack for SIMPLEX interfaces handled by ether_output().
         */
        if (m->m_pkthdr.rcvif && m->m_pkthdr.rcvif->if_flags & IFF_BROADCAST) {
                TAILQ_FOREACH(ifa, &m->m_pkthdr.rcvif->if_addrhead, ifa_link) {
                        if (ifa->ifa_addr->sa_family != AF_INET)


>Release-Note:
>Audit-Trail:
Responsible-Changed-From-To: freebsd-bugs->bms 
Responsible-Changed-By: bms 
Responsible-Changed-When: Wed Jun 16 09:06:27 GMT 2004 
Responsible-Changed-Why:  
I'll take this 

http://www.freebsd.org/cgi/query-pr.cgi?pr=52935 
State-Changed-From-To: open->analyzed 
State-Changed-By: bms 
State-Changed-When: Fri Jun 18 12:35:24 GMT 2004 
State-Changed-Why:  
This condition could definitely exist, but not sure if this is the 
right fix; will consult other network developers before proceeding. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=52935 
State-Changed-From-To: analyzed->patched 
State-Changed-By: bms 
State-Changed-When: Fri Jun 18 12:58:53 GMT 2004 
State-Changed-Why:  
The same fix has been found to have been applied elsewhere in relation 
to locally generated packets. This fix has been committed to HEAD. 
Good catch. Thanks. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=52935 
State-Changed-From-To: patched->closed 
State-Changed-By: bms 
State-Changed-When: Tue Dec 13 00:48:50 UTC 2005 
State-Changed-Why:  
-CURRENT is now -STABLE 
No similar reports since release 

http://www.freebsd.org/cgi/query-pr.cgi?pr=52935 
>Unformatted:
