|Summary:||[patch][mfc]NULL dereference in tcp_signature_do_compute|
|Component:||kern||Assignee:||Andrey V. Elsukov <ae>|
|Status:||Closed Not A Bug|
|Severity:||Affects Some People||CC:||ae, glebius, hiren, secteam, tuexen|
Description dgilbert 2016-11-22 09:36:27 UTC
anyone doing IPv6 BGP will likely run into this. An IPv6 MD5 packet causes a panic because of a NULL dereference. This is fixed in r307726 in HEAD, but the problem exists in at least 11.0p3 and likely in 11-STABLE, too (although I didn't check). I think this is serious enough to be considered ERRATA too ... or even a possible denial-of-service (although I don't know if you can trigger this without md5 being configured) anyways MFC 307726.
Comment 1 Mark Linimon 2016-11-22 11:58:56 UTC
Over to committer of 307726.
Comment 2 Andrey V. Elsukov 2016-11-22 15:52:50 UTC
I think you misinterpreted r307726. Probably you mean r308358, that already was merged into stable/11 with r308613.
Comment 3 dgilbert 2016-11-22 16:28:28 UTC
looks like you're correct. I misread the patch screen in the svn-web interface. Sigh. However... this really needs to be MFC'd to 11.0, not just 11-STABLE. I'm not sure if it gets classified as an eratta or a security thing. But upgrading anything that uses MP5 and IPv6 (like a BGP router) from 10.3 to 11.0 gives a quickly rebooting router.
Comment 4 Michael Tuexen 2016-11-22 17:45:44 UTC
Over to the committer of https://svnweb.freebsd.org/base/head/sys/netinet/tcp_subr.c?revision=308358&view=markup&pathrev=308358.
Comment 5 Gleb Smirnoff 2016-11-22 21:10:27 UTC
There is no sense to make Errata Notice for this problem, since the feature doesn't belong to the GENERIC kernel. The feature is available only in custom made kernels.