* Adrian M. Whatley <[EMAIL PROTECTED]> [2008-07-14 13:54]:
> It's a NULL pointer bug!
> which is from line 1726 in pf_send_icmp() in pf.c:
>
> m0->m_pkthdr.pf.flags |= PF_TAG_GENERATED;
> Looking at m_copym0, it looks like it can legitimately fail and return
> NULL (it even increments a global variable MCFail when it does so) and
> therefore the bug is that its return value is not being checked in
> pf_send_icmp.
perfect analysis!
looks like the only sane thing to do in that case is to bail and not
send the icmp.
Index: pf.c
===================================================================
RCS file: /cvs/src/sys/net/pf.c,v
retrieving revision 1.609
diff -u -p -r1.609 pf.c
--- pf.c 10 Jul 2008 07:41:21 -0000 1.609
+++ pf.c 14 Jul 2008 12:20:27 -0000
@@ -1819,7 +1819,9 @@ pf_send_icmp(struct mbuf *m, u_int8_t ty
{
struct mbuf *m0;
- m0 = m_copy(m, 0, M_COPYALL);
+ if ((m0 = m_copy(m, 0, M_COPYALL)) == NULL)
+ return;
+
m0->m_pkthdr.pf.flags |= PF_TAG_GENERATED;
if (r->rtableid >= 0)
--
Henning Brauer, [EMAIL PROTECTED], [EMAIL PROTECTED]
BS Web Services, http://bsws.de
Full-Service ISP - Secure Hosting, Mail and DNS Services
Dedicated Servers, Rootservers, Application Hosting - Hamburg & Amsterdam
