Bug 214727

Summary: [patch][mfc]NULL dereference in tcp_signature_do_compute
Product: Base System Reporter: dgilbert
Component: kernAssignee: Andrey V. Elsukov <ae>
Status: Closed Not A Bug    
Severity: Affects Some People CC: ae, glebius, hiren, secteam, tuexen
Priority: --- Keywords: patch
Version: 11.0-RELEASE   
Hardware: Any   
OS: Any   

Description dgilbert 2016-11-22 09:36:27 UTC
anyone doing IPv6 BGP will likely run into this.  An IPv6 MD5 packet causes a panic because of a NULL dereference.

This is fixed in r307726 in HEAD, but the problem exists in at least 11.0p3 and likely in 11-STABLE, too (although I didn't check).  I think this is serious enough to be considered ERRATA too ... or even a possible denial-of-service (although I don't know if you can trigger this without md5 being configured)

anyways MFC 307726.
Comment 1 Mark Linimon freebsd_committer freebsd_triage 2016-11-22 11:58:56 UTC
Over to committer of 307726.
Comment 2 Andrey V. Elsukov freebsd_committer 2016-11-22 15:52:50 UTC
I think you misinterpreted r307726. Probably you mean r308358, that already was merged into stable/11 with r308613.
Comment 3 dgilbert 2016-11-22 16:28:28 UTC
looks like you're correct.  I misread the patch screen in the svn-web interface.  Sigh.

However... this really needs to be MFC'd to 11.0, not just 11-STABLE.  I'm not sure if it gets classified as an eratta or a security thing.  But upgrading anything that uses MP5 and IPv6 (like a BGP router) from 10.3 to 11.0 gives a quickly rebooting router.
Comment 5 Gleb Smirnoff freebsd_committer 2016-11-22 21:10:27 UTC
There is no sense to make Errata Notice for this problem, since the feature doesn't belong to the GENERIC kernel. The feature is available only in custom made kernels.