Subject: kern/30835: pf panic with synproxy rules
To: None <kern-bug-people@netbsd.org, gnats-admin@netbsd.org,>
From: None <sagawa@sohgoh.net>
List: netbsd-bugs
Date: 07/26/2005 06:17:00
>Number: 30835
>Category: kern
>Synopsis: pf panic with synproxy rules
>Confidential: no
>Severity: serious
>Priority: medium
>Responsible: kern-bug-people
>State: open
>Class: sw-bug
>Submitter-Id: net
>Arrival-Date: Tue Jul 26 06:17:00 +0000 2005
>Originator: Akihiro Sagawa
>Release: NetBSD 3.99.7
>Organization:
>Environment:
System: NetBSD potato 3.99.7 NetBSD 3.99.7 (POTATO) #1: Thu Jul 14 21:13:09 JST 2005 sagawa@cactus:/usr/src/netbsd/obj/sys/arch/i386/compile/POTATO i386
>Description:
kernel panics when pf recieves a packet which matches synproxy rules.
>How-To-Repeat:
1. Make a kernel with pf support, and reboot to use the kernel.
ex. add below config to GENERIC config
pseudo-device pf
pseudo-device pflog
2. Write a synproxy rule, and enable it.
ex. edit /etc/pf.conf
pass in on fxp0 proto tcp from any to any flags S/SA synproxy state
pfctl -f /etc/pf.conf
3. Send a TCP packet from another host to the host.
ex. telnet target_host
>Fix:
On pf.c (rev.1.17) line 6496, *mp(*m0) is set to NULL even action = PF_PASS when using
synproxy (previously action value was PF_SYNPROXY_DROP).
Therefore we need check whether *mp is NULL.
--- src/sys/dist/pf/net/pf_ioctl.c.orig 2005-07-11 20:18:59.000000000 +0900
+++ src/sys/dist/pf/net/pf_ioctl.c 2005-07-16 05:27:31.000000000 +0900
@@ -2995,7 +2995,7 @@
* we're not compatible with fast-forward.
*/
- if (dir == PFIL_IN) {
+ if (dir == PFIL_IN && *mp) {
(*mp)->m_flags &= ~M_CANFASTFWD;
}