https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=288333
Bug ID: 288333
Summary: NULL dereference in ipf_pr_icmp6
Product: Base System
Version: CURRENT
Hardware: Any
OS: Any
Status: New
Severity: Affects Some People
Priority: ---
Component: kern
Assignee: [email protected]
Reporter: [email protected]
Attachment #262288 text/plain
mime type:
Created attachment 262288
--> https://bugs.freebsd.org/bugzilla/attachment.cgi?id=262288&action=edit
send a packet that causes ipf_pr_icmp6() to dereference NULL
I've attached a demo program that sets up ipf with
pass out quick on tap1 proto tcp from any to any port = 22 flags S keep state
and sends an outgoing tap0->tap1 inet6/tcp packet to set up state, and
then sends an inward inet6/IPPROTO_AH packet on tap1 that, because it
has ttl=0, is rejected by ip6_forward(). As part of generating an
ICMPV6 error packet, ipf_checkicmp6matchingstate() says
ofin.fin_m = NULL; /* if dereferenced, panic XXX */
...
(void) ipf_makefrip(sizeof(*oip6), (ip_t *)oip6, &ofin);
the latter causes ipf_pr_icmp6() to be called, which says
case ICMP6_DST_UNREACH :
case ICMP6_PACKET_TOO_BIG :
case ICMP6_TIME_EXCEEDED :
case ICMP6_PARAM_PROB :
...
if (M_LEN(fin->fin_m) < fin->fin_plen) {
#0 0xffffffc0000885d2 in ipf_pr_icmp6 (fin=0xffffffc082adfd90)
at /usr/rtm/symbsd/src/sys/netpfil/ipfilter/netinet/fil.c:908
#1 ipf_pr_ipv6hdr (fin=0xffffffc082adfd90)
at /usr/rtm/symbsd/src/sys/netpfil/ipfilter/netinet/fil.c:481
#2 ipf_makefrip (hlen=<optimized out>, ip=<optimized out>,
fin=0xffffffc082adfd90)
at /usr/rtm/symbsd/src/sys/netpfil/ipfilter/netinet/fil.c:2023
#3 0xffffffc0000b1972 in ipf_checkicmp6matchingstate (fin=<optimized out>)
at /usr/rtm/symbsd/src/sys/netpfil/ipfilter/netinet/ip_state.c:4391
#4 0xffffffc0000b0f62 in ipf_state_lookup (fin=0xffffffc082ae00d0,
tcp=0xffffffd00192cc88, ifqp=0xffffffc082ae0058)
at /usr/rtm/symbsd/src/sys/netpfil/ipfilter/netinet/ip_state.c:3057
#5 0xffffffc0000b1f5e in ipf_state_check (fin=0x92, passp=0xffffffc082ae00cc)
at /usr/rtm/symbsd/src/sys/netpfil/ipfilter/netinet/ip_state.c:3252
#6 0xffffffc00008988e in ipf_check (ctx=0xffffffc03decf000,
ip=<optimized out>, hlen=<optimized out>, ifp=<optimized out>, out=1,
mp=0xffffffc082ae0460)
at /usr/rtm/symbsd/src/sys/netpfil/ipfilter/netinet/fil.c:2971
#7 0xffffffc000095d6e in ipf_check_wrapper6 (mp=0xffffffc082ae0460, ifp=0x3,
flags=<optimized out>, ruleset=<optimized out>, inp=<optimized out>)
at /usr/rtm/symbsd/src/sys/netpfil/ipfilter/netinet/ip_fil_freebsd.c:137
#8 0xffffffc0005bdd9e in pfil_mbuf_common (pch=<optimized out>,
m=0xffffffc082ae0460, ifp=0xffffffd018c4d800, flags=131072, inp=0x0)
at /usr/rtm/symbsd/src/sys/net/pfil.c:213
#9 pfil_mbuf_out (head=<optimized out>, m=0xffffffc082ae0460,
ifp=0xffffffd018c4d800, inp=0x0) at /usr/rtm/symbsd/src/sys/net/pfil.c:239
#10 0xffffffc00071e12c in ip6_output (m0=<optimized out>, opt=0x0, ro=0x0,
flags=<optimized out>, im6o=<optimized out>, ifpp=0xffffffc082ae0510,
inp=0x0) at /usr/rtm/symbsd/src/sys/netinet6/ip6_output.c:1027
#11 0xffffffc000703ea6 in icmp6_reflect (m=0xffffffd018b73500,
off=<optimized out>) at /usr/rtm/symbsd/src/sys/netinet6/icmp6.c:2171
#12 0xffffffc000703738 in icmp6_error (m=0xffffffd018b73500,
type=<optimized out>, code=0, param=0)
at /usr/rtm/symbsd/src/sys/netinet6/icmp6.c:390
#13 0xffffffc000717790 in ip6_forward (m=0xffffffd018b73400,
srcrt=<optimized out>)
at /usr/rtm/symbsd/src/sys/netinet6/ip6_forward.c:135
#14 0xffffffc000718e94 in ip6_input (m=0xffffffd018b73400)
at /usr/rtm/symbsd/src/sys/netinet6/ip6_input.c:903
if (M_LEN(fin->fin_m) < fin->fin_plen) {
(gdb) print fin->fin_m
$14 = (mb_t *) 0x0
--
You are receiving this mail because:
You are the assignee for the bug.
