Bug 132354

Summary: [nat] Getting some packages to ipnat(8) causes crash
Product: Base System Reporter: Renat Vafin <hitori>
Component: kernAssignee: freebsd-bugs (Nobody) <bugs>
Status: Open ---    
Severity: Affects Only Me    
Priority: Normal    
Version: Unspecified   
Hardware: Any   
OS: Any   

Description Renat Vafin 2009-03-06 10:30:01 UTC 
Router started to crash some time ago. We changed everything: from individual parts to the server as a whole. Tried FreeBSD 6.4, 7.0, 7.1. We used Intel (em & fxp) and Realtec (re) network cards. After installing the logger package we found ip-packet, which led to the crash. As it turned out that the crash occurs in the presence of certain strings in the configuration of ipnat. The following are the minimum contents of configuration file of ipnat. 

#cat /etc/ipnat.rules
bimap re0 10.0.0.1 -> 92.50.219.35

If the file /etc/ipnat.rules is empty or the destination address is different from the 92.50.219.35, crash does not occur.

How-To-Repeat: Send this packet via CommView to ethernet-port of server with running ipnat.
The contents of the package created by CommView.

============================================================================
Packet #1, Direction: Pass-through, Time:09:39:01,169296, Size: 60
Ethernet II
	Destination MAC: 00:80:48:51:C7:DD
	Source MAC: 00:14:F6:F1:B3:F1
	Ethertype: 0x0800 (2048) - IP
IP
	IP version: 0x04 (4)
	Header length: 0x05 (5) - 20 bytes
	Differentiated Services Field: 0x00 (0)
		Differentiated Services Code Point: 000000 - Default
		ECN-ECT: 0
		ECN-CE: 0
	Total length: 0x001C (28)
	ID: 0x73E1 (29665)
	Flags
		Don't fragment bit: 0 - May fragment
		More fragments bit: 0 - Last fragment
	Fragment offset: 0x05C0 (1472)
	Time to live: 0x78 (120)
	Protocol: 0x06 (6) - TCP
	Checksum: 0x1913 (6419) - correct
	Source IP: 77.40.48.178
	Destination IP: 92.50.219.35
	IP Options: None
Raw Data:
0x0000   00 80 48 51 C7 DD 00 14-F6 F1 B3 F1 08 00 45 00   ._HQúü..ÃÓ_Ó..E.
0x0010   00 1C 73 E1 00 B8 78 06-19 13 4D 28 30 B2 5C 32   ..sÂ.£x...M(0_\2
0x0020   DB 23 74 00 65 00 20 00-4C 00 00 00 00 00 00 00   ù#t.e. .L.......
0x0030   00 00 00 00 00 00 00 00-00 00 00 00               ............

============================================================================
Comment 1 Mark Linimon freebsd_committer freebsd_triage 2009-03-06 16:10:27 UTC 
Responsible Changed
From-To: freebsd-bugs->freebsd-net

Over to maintainer(s).
Comment 2 Eitan Adler freebsd_committer freebsd_triage 2017-12-31 08:00:57 UTC 
For bugs matching the following criteria:

Status: In Progress Changed: (is less than) 2014-06-01

Reset to default assignee and clear in-progress tags.

Mail being skipped