>Number: 162926
>Category: kern
>Synopsis: Infinite loop in ipfilter with fragmented IPv6 traffic
>Confidential: no
>Severity: serious
>Priority: medium
>Responsible: freebsd-bugs
>State: open
>Quarter:
>Keywords:
>Date-Required:
>Class: sw-bug
>Submitter-Id: current-users
>Arrival-Date: Mon Nov 28 16:00:20 UTC 2011
>Closed-Date:
>Last-Modified:
>Originator: Paul
>Release: 6.4
>Organization:
>Environment:
FreeBSD virtualbox0 6.4-RELEASE FreeBSD 6.4-RELEASE #0: Wed Nov 26 11:43:51 UTC
2008 r...@dessler.cse.buffalo.edu:/usr/obj/usr/src/sys/GENERIC i386
>Description:
When receiving the following packet, ipfilter enters a loop in the frpr_ipv6hdr
function making the whole system unresponsive. More recent versions of FreeBSD
(e.g. 8.x) seem to be affected as they are using the same version of ipfilter.
# tcpdump -n -X -r AC_458632.pak
reading from file AC_458632.pak, link-type EN10MB (Ethernet)
01:00:00.000453 IP6 truncated-ip6 - 32724 bytes missing!:: > 80::: frag
(0|32760) AH(spi=0x00000000,seq=0x33000000): HBH AH(spi=0x00000000,seq=0x0):
HBH [|HBH]
0x0000: 6000 0000 8000 2c00 0000 0000 0000 0000 `.....,.........
0x0010: 0000 0000 0000 0000 0080 0000 0000 0000 ................
0x0020: 0000 0000 0000 0000 3300 0004 0000 0000 ........3.......
0x0030: 0000 0000 0000 0000 3300 0000 0000 0000 ........3.......
0x0040: 0000 0000 0000 0000 0000 0000 0000 0000 ................
0x0050: 0000 0000
The problem seems to have been corrected in ipfilter 4.1.31.
>How-To-Repeat:
enable ipfilter.
enable ipv6 and ipv6 forwarding.
send packet through filter.
>Fix:
Install ipfilter v4.1.31.
>Release-Note:
>Audit-Trail:
>Unformatted:
_______________________________________________
freebsd-bugs@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-bugs
To unsubscribe, send any mail to "freebsd-bugs-unsubscr...@freebsd.org"
