On Sat, Feb 05, 2011 at 03:24:11PM +0100, Henning Brauer wrote:
> * Alexander Bluhm <alexander.bl...@gmx.net> [2011-02-05 14:56]:
> > Somebody could send us such a packet.
>
> I'm pretty damn sure we catch that way earlier.
Yeah, it panics right away if nat/rdr is used with unusual protocol.
panic: m_clget: request for 1926905556 byte cluster
Stopped at Debugger+0x4: popl %ebp
RUN AT LEAST 'trace' AND 'ps' AND INCLUDE OUTPUT WHEN REPORTING THIS PANIC!
DO NOT EVEN BOTHER REPORTING THIS WITHOUT INCLUDING THAT INFORMATION!
ddb> trace
Debugger(d08dcebc,d45b4bd0,d08bc8c4,d45b4bd0,d0202f0d) at Debugger+0x4
panic(d08bc8c4,72da3ed4,d45b4bf4,d0400453,40) at panic+0x5d
m_clget(d30ea700,2,0,72da3ed4,d30591a8) at m_clget+0x138
m_copyback(d30ea500,14,72da3ed4,d45b4d94,2) at m_copyback+0x1d2
pf_test_rule(d45b4dc0,d45b4dbc,1,d0e04d00,d30ea500) at pf_test_rule+0xd91
pf_test(1,d0f06038,d45b4eac,0,d0f06000) at pf_test+0xcd3
ipv4_input(d30ea500,6,d45b4ec4,d0441185,d0202f0d) at ipv4_input+0x204
ipintr(d0202f0d,d0eefbe0,d45b4ee4,d057ac2f,0) at ipintr+0x49
netintr(0,0,d0ef0a80,0,d0201fc6) at netintr+0xd5
softintr_dispatch(1) at softintr_dispatch+0x4f
Xsoftnet() at Xsoftnet+0x12
hrdlen can be uinitialized. Let's fix that first.
ok?
Index: net/pf.c
===================================================================
RCS file: /data/mirror/openbsd/cvs/src/sys/net/pf.c,v
retrieving revision 1.722
diff -u -p -r1.722 pf.c
--- net/pf.c 22 Jan 2011 11:43:57 -0000 1.722
+++ net/pf.c 5 Feb 2011 16:16:57 -0000
@@ -3047,7 +3047,7 @@ pf_test_rule(struct pf_rule **rm, struct
}
/* copy back packet headers if we performed NAT operations */
- if (rewrite)
+ if (rewrite && hdrlen)
m_copyback(m, off, hdrlen, pd->hdr.any, M_NOWAIT);
#if NPFSYNC > 0
@@ -5517,6 +5517,7 @@ pf_setup_pdesc(sa_family_t af, int dir,
if (pd->hdr.any == NULL)
panic("pf_setup_pdesc: no storage for headers provided");
+ *hdrlen = 0;
switch (af) {
#ifdef INET
case AF_INET: {
