Bug 23187

Summary: possible panic when ipfw is used on ICMP on 4.2-stable
Product: Base System Reporter: ming <ming>
Component: kernAssignee: Darern Reed <darrenr>
Status: Closed FIXED    
Severity: Affects Only Me    
Priority: Normal    
Version: Unspecified   
Hardware: Any   
OS: Any   

Description ming 2000-11-30 03:40:01 UTC 
the ofin struct passed into fr_makefrip() from ip_state.c is created
on the local function stack and its fin_v member is not init'ed.
fr_makefrip() checks fin_v to determine wether to execute IPV6 code
or IPV4 code, however fin_v's value is undetermined and thus it's
possible it may contain 6 while the packet (ip_t) is a IPV4 packet,
and this may cause kernel to panic sometimes (Happened once to me already)

Fix: 

change v = fin->fin_v; to v = fin->fin_v = ip->ip_v;

the patch is at http://www.windmoon.nu/mypatch
How-To-Repeat: tough to reproduce the crash but very easy to get fr_makefrip() to
execute IPV6 code when dealing with IPV4 ICMP packets.  Simply
keep doing traceroute to some hosts on the net, evetually fin_v may
contain the value 6
Comment 1 Doug Barton freebsd_committer freebsd_triage 2000-12-04 02:47:47 UTC 
Responsible Changed
From-To: freebsd-bugs->billf


This sounds like something Bill will be interested in 
when he's done moving.
Comment 2 ru freebsd_committer freebsd_triage 2000-12-04 09:37:23 UTC 
Responsible Changed
From-To: billf->darrenr

This is not ipfw but rather an IP Filter issue.
Comment 3 Darern Reed freebsd_committer freebsd_triage 2000-12-04 14:26:25 UTC 
State Changed
From-To: open->suspended

fix will be integrated in next ipfilter import
Comment 4 Darern Reed freebsd_committer freebsd_triage 2001-02-21 21:25:47 UTC 
State Changed
From-To: suspended->closed

fixed with latest import