NetBSD Problem Report #43548
From kefren@kefren.ngnetworks.ro Thu Jul 1 22:19:43 2010
Return-Path: <kefren@kefren.ngnetworks.ro>
Received: from mail.netbsd.org (mail.netbsd.org [204.152.190.11])
by www.NetBSD.org (Postfix) with ESMTP id ED47063BA69
for <gnats-bugs@gnats.NetBSD.org>; Thu, 1 Jul 2010 22:19:42 +0000 (UTC)
Message-Id: <20100701202354.41629283C109@kefren.ngnetworks.ro>
Date: Thu, 1 Jul 2010 23:23:54 +0300 (EEST)
From: kefren@netbsd.org
Reply-To: kefren@netbsd.org
To: gnats-bugs@gnats.NetBSD.org
Subject: raising net.inet.icmp.returndatabytes causes panic
X-Send-Pr-Version: 3.95
>Number: 43548
>Category: kern
>Synopsis: raising net.inet.icmp.returndatabytes causes panic
>Confidential: no
>Severity: serious
>Priority: low
>Responsible: kern-bug-people
>State: closed
>Class: sw-bug
>Submitter-Id: net
>Arrival-Date: Thu Jul 01 22:20:00 +0000 2010
>Closed-Date: Fri Jul 02 14:58:52 +0000 2010
>Last-Modified: Sun Jul 04 19:35:01 +0000 2010
>Originator: MC5794-RIPE
>Release: NetBSD 5.99.33
>Organization:
>Environment:
System: NetBSD kefren.ngnetworks.ro 5.99.33 NetBSD 5.99.33 (Home) #10: Wed Jun 30 15:15:28 EEST 2010 kefren@kefren.ngnetworks.ro:/disk3/work/netbsd-current/src/sys/arch/amd64/compile/obj/Home amd64
Architecture: x86_64
Machine: amd64
>Description:
panic: icmp len
db{0}> bt
breakpoint(c06dc506,dc,c38590e4,cb4afc0c,dc,c382f810,cb4afc40,c0468d52,c0aff30b,
0) at netbsd:breakpoint+0x4
panic(c0aff30b,0,dc,c3859008,0,0,0,c3869300,c3859000,c386a600) at netbsd:panic+0
x1f3
icmp_error(c3869300,b,0,0,0,cb4afcf8,cb4afca0,c05d9c4f,0,cb4afc90) at netbsd:icm
p_error+0x422
ip_forward(c3869300,0,cb9f5004,1,c0c37a80,0,132,c04b6db8,4,14) at netbsd:ip_forw
ard+0x242
ip_input(c3869300,0,c2a17700,cb4afd10,201a8c0,1,4,c2a17700,2e,cb36ea80) at netbs
d:ip_input+0x7ca
ipintr(0,10,30,10,10,0,36ed20,cb78b900,0,cb4afda0) at netbsd:ipintr+0x96
softint_dispatch(cb36ed20,4,0,0,0,0,cb4afd90,cb4afbb8,cb4afc10,0) at netbsd:soft
int_dispatch+0x70
>How-To-Repeat:
1. sysctl -w net.inet.icmp.returndatabytes=200
2. make it respond with icmp ttl expired in transit to a large packet - using traceroute for example
3. see it crash
>Fix:
Looks like code is broken for M_EXT case, I will try to look over it next week if noone fix it until then.
>Release-Note:
>Audit-Trail:
From: Mihai Chelaru <kefren@netbsd.org>
To: gnats-bugs@gnats.NetBSD.org
Cc:
Subject: PR/43548 CVS commit: src/sys/netinet
Date: Fri, 2 Jul 2010 07:02:01 +0000
Module Name: src
Committed By: kefren
Date: Fri Jul 2 07:02:00 UTC 2010
Modified Files:
src/sys/netinet: ip_icmp.c
Log Message:
manually adjust m_data and m_len so it can later be prepended with a
struct ip in case that a cluster is used. icmp len panic is not valid for
cluster case.
Fixes PR/43548
To generate a diff of this commit:
cvs rdiff -u -r1.123 -r1.124 src/sys/netinet/ip_icmp.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
State-Changed-From-To: open->closed
State-Changed-By: kefren@NetBSD.org
State-Changed-When: Fri, 02 Jul 2010 14:58:52 +0000
State-Changed-Why:
Fixed. Next week came earlier today
From: Antti Kantee <pooka@netbsd.org>
To: gnats-bugs@gnats.NetBSD.org
Cc:
Subject: PR/43548 CVS commit: src/tests/net/icmp
Date: Sun, 4 Jul 2010 19:31:00 +0000
Module Name: src
Committed By: pooka
Date: Sun Jul 4 19:30:59 UTC 2010
Added Files:
src/tests/net/icmp: Atffile Makefile t_forward.c
Log Message:
Add test case for PR kern/43548
Due to the nature of the feature under test, this one is a little
different, so let me explain how it works.
The test program forks and bootstraps a rump kernel in both processes.
It then configures shared memory interfaces in both. shmif is nice
in that it uses a mmaped file as the bus and does not require root
privileges for communication between two (or more) processes. The
child process then proceeds to increase icmp.returndatabytes as
indicated by the PR, while the parent process sets the global TTL
of the rump kernel to 1 (note: both values only affect the respective
rump kernels, not each other or more importantly the host kernel).
The parent then sends the bad packet which is supposed to be routed
by the child. If ip_icmp.c was too old, *boom* + fail; otherwise
nothing bad happens and the test exists with success after one
second.
Eventually this test can be extended into a framework for automated
testing of any networking code which requires (arbitrarily complex)
routing setups.
To generate a diff of this commit:
cvs rdiff -u -r0 -r1.1 src/tests/net/icmp/Atffile src/tests/net/icmp/Makefile \
src/tests/net/icmp/t_forward.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
>Unformatted:
(Contact us)
$NetBSD: query-full-pr,v 1.39 2013/11/01 18:47:49 spz Exp $
$NetBSD: gnats_config.sh,v 1.8 2006/05/07 09:23:38 tsutsui Exp $
Copyright © 1994-2007
The NetBSD Foundation, Inc. ALL RIGHTS RESERVED.