Bug #135
closedConnecting to FTP server causes panic
0%
Description
If you add a port forward for TCP 21 on WAN, and connect to the FTP server from the WAN side, the box panics.
FTP client log:
Status: Connecting to 10.0.64.49:21...
Status: Connection established, waiting for welcome message...
Response: 220 Chris-Buechlers-Computer.local FTP server (tnftpd 20061217) ready.
Command: USER cmb
Response: 331 Password required for cmb.
Command: PASS **
Response: 230-
Response: Welcome to Darwin!
Response: 230 User cmb logged in.
Command: SYST
Response: 215 UNIX Type: L8 Version: tnftpd 20061217
Command: FEAT
Response: 211-Features supported
Response: MDTM
Response: MLST Type*;Size*;Modify*;Perm*;Unique*;
Response: REST STREAM
Response: SIZE
Response: TVFS
Response: 211 End
Status: Connected
Status: Retrieving directory listing...
Command: PWD
Response: 257 "/Users/cmb" is the current directory.
Command: TYPE I
Response: 200 Type set to I.
Command: PASV
At which point it panics:
Fatal trap 12: page fault while in kernel mode
cpuid = 0; apic id = 00
fault virtual address = 0x58
fault code = supervisor write, page not present
instruction pointer = 0x20:0xc050f303
stack pointer = 0x28:0xe571d7c8
frame pointer = 0x28:0xe571d8c8
code segment = base 0x0, limit 0xfffff, type 0x1b
= DPL 0, pres 1, def32 1, gran 1
processor eflags = interrupt enabled, resume, IOPL = 0
current process = 0 (em0 taskq)
[thread pid 0 tid 64029]
Stopped at pf_handle_ftp+0xba3: addl $0x1,0x58(%eax)
db> bt
Tracing pid 0 tid 64029 td 0xc32e3480
pf_handle_ftp(e571daa4,c3584300,c39ab9fc,14,2,...) at pf_handle_ftp+0xba3
pf_test(2,c32a5c00,e571db74,0,0,...) at pf_test+0x93f
pf_check_out(0,e571db74,c32a5c00,2,0,...) at pf_check_out+0x5c
pfil_run_hooks(c0fbcca0,e571dbb4,c32a5c00,2,0,...) at pfil_run_hooks+0x7e
ip_fastforward(c3584300,e,c32da800,c32da800,c3389802,...) at ip_fastforward+0x46e
ether_demux(c32da800,c3584300,3,0,3,...) at ether_demux+0x12d
ether_input(c32da800,c3584300,0,1111cd9,c32e3480,...) at ether_input+0x33f
em_rxeof(c32e3480,e571dca4,c098425f,c32e3480,e571dca0,...) at em_rxeof+0x4fa
em_handle_rxtx(c32dc000,1,0,c0dc53b4,0,...) at em_handle_rxtx+0x27
taskqueue_run(c3297580,c3297598,c0dc53b4,0,e571dcf4,...) at taskqueue_run+0x162
taskqueue_thread_loop(c32e0564,e571dd38,0,0,0,...) at taskqueue_thread_loop+0xbd
fork_exit(c0985b60,c32e0564,e571dd38) at fork_exit+0x91
fork_trampoline() at fork_trampoline+0x8
--- trap 0, eip = 0, esp = 0xe571dd70, ebp = 0 ---