Bug 214727 - [patch][mfc]NULL dereference in tcp_signature_do_compute
Summary: [patch][mfc]NULL dereference in tcp_signature_do_compute
Status: Closed Not A Bug
Alias: None
Product: Base System
Classification: Unclassified
Component: kern (show other bugs)
Version: 11.0-RELEASE
Hardware: Any Any
: --- Affects Some People
Assignee: Andrey V. Elsukov
Keywords: patch
Depends on:
Reported: 2016-11-22 09:36 UTC by dgilbert
Modified: 2016-12-23 06:45 UTC (History)
5 users (show)

See Also:


Note You need to log in before you can comment on or make changes to this bug.
Description dgilbert 2016-11-22 09:36:27 UTC
anyone doing IPv6 BGP will likely run into this.  An IPv6 MD5 packet causes a panic because of a NULL dereference.

This is fixed in r307726 in HEAD, but the problem exists in at least 11.0p3 and likely in 11-STABLE, too (although I didn't check).  I think this is serious enough to be considered ERRATA too ... or even a possible denial-of-service (although I don't know if you can trigger this without md5 being configured)

anyways MFC 307726.
Comment 1 Mark Linimon freebsd_committer freebsd_triage 2016-11-22 11:58:56 UTC
Over to committer of 307726.
Comment 2 Andrey V. Elsukov freebsd_committer 2016-11-22 15:52:50 UTC
I think you misinterpreted r307726. Probably you mean r308358, that already was merged into stable/11 with r308613.
Comment 3 dgilbert 2016-11-22 16:28:28 UTC
looks like you're correct.  I misread the patch screen in the svn-web interface.  Sigh.

However... this really needs to be MFC'd to 11.0, not just 11-STABLE.  I'm not sure if it gets classified as an eratta or a security thing.  But upgrading anything that uses MP5 and IPv6 (like a BGP router) from 10.3 to 11.0 gives a quickly rebooting router.
Comment 5 Gleb Smirnoff freebsd_committer 2016-11-22 21:10:27 UTC
There is no sense to make Errata Notice for this problem, since the feature doesn't belong to the GENERIC kernel. The feature is available only in custom made kernels.