NetBSD Problem Report #43484
From mark@ecs.vuw.ac.nz Wed Jun 16 02:04:35 2010
Return-Path: <mark@ecs.vuw.ac.nz>
Received: from mail.netbsd.org (mail.netbsd.org [204.152.190.11])
by www.NetBSD.org (Postfix) with ESMTP id 034D463B916
for <gnats-bugs@gnats.NetBSD.org>; Wed, 16 Jun 2010 02:04:34 +0000 (UTC)
Message-Id: <201006160204.o5G24TF0012502@city-art.ecs.vuw.ac.nz>
Date: Wed, 16 Jun 2010 14:04:29 +1200 (NZST)
From: mark@ecs.vuw.ac.nz
Reply-To: mark@ecs.vuw.ac.nz
To: gnats-bugs@gnats.NetBSD.org
Subject: wrong length in "larger" icmp packets when IPF enabled
X-Send-Pr-Version: 3.95
>Number: 43484
>Category: kern
>Synopsis: IPF: wrong length in "larger" icmp packets when IPF enabled
>Confidential: no
>Severity: serious
>Priority: medium
>Responsible: ipf-bug-people
>State: open
>Class: sw-bug
>Submitter-Id: net
>Arrival-Date: Wed Jun 16 02:05:00 +0000 2010
>Last-Modified: Sun Feb 25 18:32:45 +0000 2018
>Originator: Mark Davies
>Release: NetBSD 5.0_STABLE
>Organization:
ECS, Victoria Uni. of Wellington, New Zealand.
>Environment:
System: NetBSD city-art.ecs.vuw.ac.nz 5.0_STABLE NetBSD 5.0_STABLE (ECS_WORKSTATION) #7: Sun Feb 28 09:13:18 NZDT 2010 mark@turakirae.ecs.vuw.ac.nz:/local/SAVE/build.obj/src/work/5/src/sys/arch/i386/compile/ECS_WORKSTATION i386
Architecture: i386
Machine: i386
>Description:
IPF seems to be producing IP packets with the length field byteswapped
for ICMP packets that it relays larger than 200 bytes in size (including
the ip header).
First noticed with a 5.0_RC3/i386 system. Problem still there with a
5.1_RC3/i386 system and a -current snapshot from yesterday.
http://ecs.victoria.ac.nz/~mark/inside3.pcap contains a tcpdump trace
captured on the internal interface of the box running ipf
showing 12 icmp port unreachable packets, and the outgoing packets
that caused them.
The first 4 are length 200 and pass through OK.
The second 4 are length 201 but have length 51456 (201 byte swapped)
recorded and have incorrect ip header checksums.
The last 4 are length 201 but ipf has been disabled and they pass
through OK.
>How-To-Repeat:
Enable IPF on a machine acting as a router with the following
minimal ruleset
pass in all
pass out all
use scamper from a machine on one side of the router to a machine
on the other to cause icmp port unreachable packets of a particular
size be generated.
scamper -c 'ping -P udp -s 172' -i a.b.c.d
scamper -c 'ping -P udp -s 173' -i a.b.c.d
observe the first succeed and the second fail.
>Fix:
unknown
>Release-Note:
>Audit-Trail:
Responsible-Changed-From-To: kern-bug-people->darrenr
Responsible-Changed-By: mrg@NetBSD.org
Responsible-Changed-When: Wed, 16 Jun 2010 02:15:13 +0000
Responsible-Changed-Why:
over to IPF maintainer.
Responsible-Changed-From-To: darrenr->kern-bug-people
Responsible-Changed-By: wiz@NetBSD.org
Responsible-Changed-When: Mon, 23 Dec 2013 11:31:46 +0000
Responsible-Changed-Why:
resigned, back to role account
Responsible-Changed-From-To: kern-bug-people->ipf-bug-people
Responsible-Changed-By: dholland@NetBSD.org
Responsible-Changed-When: Mon, 23 Dec 2013 17:38:04 +0000
Responsible-Changed-Why:
there's a special role for ipf bugs
>Unformatted:
(Contact us)
$NetBSD: query-full-pr,v 1.43 2018/01/16 07:36:43 maya Exp $
$NetBSD: gnats_config.sh,v 1.9 2014/08/02 14:16:04 spz Exp $
Copyright © 1994-2017
The NetBSD Foundation, Inc. ALL RIGHTS RESERVED.