netbsd-bugs: kern/5661: ipf rules cause panic

Subject: kern/5661: ipf rules cause panic
To: None <gnats-bugs@gnats.netbsd.org>
From: Martin J. Laubach <mjl@emsi.priv.at>
List: netbsd-bugs
Date: 06/26/1998 19:33:52

>Number:         5661
>Category:       kern
>Synopsis:       Some more elaborate ipf filter rules can crash the system
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    kern-bug-people (Kernel Bug People)
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Fri Jun 26 10:35:01 1998
>Last-Modified:
>Originator:     Martin J. Laubach
>Organization:
>Release:        1.3.2
>Environment:
	
System: NetBSD asparagus 1.3.2 NetBSD 1.3.2 (ASPARAGUS) #1: Mon Jun 15 20:08:31 CEST 1998 mjl@asparagus:/home/temp/kernel/sys/arch/i386/compile/ASPARAGUS i386


>Description:
  In trying to route packets on source address, I tried the
following ipf rule

  pass out log quick on ne0 to tun3:195.26.201.28 from 195.26.201.18 to any

  and the reception of a matching packet will cause an instant kernel panic
(vm fault, fatal page fault).

>How-To-Repeat:

  Simplified version, suppose you have two interfaces ne0 and ep0,
with the default route going out of ne0, then the following will reproduce
the problem:

	ipf -f - <<EOF
	pass out on ne0 to ep0 from any to 192.99.99.99
	EOF

	ping 192.99.99.99

>Fix:
	
>Audit-Trail:
>Unformatted: