Bug #14092
closed
Kernel panic when PF passes a large/fragmented ICMP6 packet
Added by Jim Pingle about 1 year ago.
Updated 11 months ago.
Category:
Operating System
Plus Target Version:
23.05
Description
With pf enabled and a rule to pass IPv6 ICMP, the kernel may panic when receiving and passing a large ICMP6 packet:
ping6 -s 65500 <target address>
It happens against 2.7.0 (current snapshot, 2.7.0.a.20230310.0600) as well as Plus 23.01-RELEASE.
If the packet is blocked or if pf is disabled, the crash does not occur.
Textdump is attached from a 2.7.0 system as those still have debugging options enabled in the kernel.
Files
The backtrace here looks the same as on #14077, they may be the same.
- Status changed from New to In Progress
I believe I understand the issue. Briefly put, pf_refragment6() ends up calling ip6_forward() for traffic in the output (so not forwarding) path, and ip6_forward() assumes that m->m_pkthdr.rcvif is set, which is not the case for output traffic.
This fixes the panic: https://reviews.freebsd.org/D39061 (and subsequent reviews fix link-local functionality and add a test case).
- Status changed from In Progress to Ready To Test
Snapshots as of today have the relevant fix included.
- Status changed from Ready To Test to Resolved
- Priority changed from Normal to Urgent
- % Done changed from 0 to 100
Looks good to me. I cannot crash a current Plus 23.05 or CE 2.7.0 snapshot with a large ping packet as I could before. Before updating to a current snapshot, I could crash either one.
- Private changed from Yes to No
- Related to Bug #14077: Kernel panic from incoming IPv6 connections added
- Affected Version set to 2.7.0
Also available in: Atom
PDF
Updated by 
Updated by