Bug 214727

Summary:	[patch][mfc]NULL dereference in tcp_signature_do_compute
Product:	Base System	Reporter:	dgilbert
Component:	kern	Assignee:	Andrey V. Elsukov <ae>
Status:	Closed Not A Bug
Severity:	Affects Some People	CC:	ae, glebius, hiren, secteam, tuexen
Priority:	---	Keywords:	patch
Version:	11.0-RELEASE
Hardware:	Any
OS:	Any

Description dgilbert 2016-11-22 09:36:27 UTC

anyone doing IPv6 BGP will likely run into this.  An IPv6 MD5 packet causes a panic because of a NULL dereference.

This is fixed in r307726 in HEAD, but the problem exists in at least 11.0p3 and likely in 11-STABLE, too (although I didn't check).  I think this is serious enough to be considered ERRATA too ... or even a possible denial-of-service (although I don't know if you can trigger this without md5 being configured)

anyways MFC 307726.

Comment 1 Mark Linimon freebsd_committer

2016-11-22 11:58:56 UTC

Over to committer of 307726.

Comment 2 Andrey V. Elsukov freebsd_committer

2016-11-22 15:52:50 UTC

I think you misinterpreted r307726. Probably you mean r308358, that already was merged into stable/11 with r308613.

Comment 3 dgilbert 2016-11-22 16:28:28 UTC

looks like you're correct.  I misread the patch screen in the svn-web interface.  Sigh.

However... this really needs to be MFC'd to 11.0, not just 11-STABLE.  I'm not sure if it gets classified as an eratta or a security thing.  But upgrading anything that uses MP5 and IPv6 (like a BGP router) from 10.3 to 11.0 gives a quickly rebooting router.

Comment 4 Michael Tuexen freebsd_committer

2016-11-22 17:45:44 UTC

Over to the committer of https://svnweb.freebsd.org/base/head/sys/netinet/tcp_subr.c?revision=308358&view=markup&pathrev=308358.

Comment 5 Gleb Smirnoff freebsd_committer

2016-11-22 21:10:27 UTC

There is no sense to make Errata Notice for this problem, since the feature doesn't belong to the GENERIC kernel. The feature is available only in custom made kernels.