Project

General

Profile

Actions

Bug #1552

closed

DNS Reject Rule Crashes Router

Added by Aaron Lusk over 10 years ago. Updated over 10 years ago.

Status:
Resolved
Priority:
Normal
Assignee:
-
Category:
Operating System
Target version:
Start date:
05/24/2011
Due date:
% Done:

0%

Estimated time:
Plus Target Version:
Release Notes:
Affected Version:
2.0
Affected Architecture:

Description

UDP - LAN - net - * - !Router - 53(DNS) - WAN - none - DNS Reject

If this rule is setup on the LAN interface to reject DNS traffic NOT going to the router's DNS forwarder and a request is sent through the router to another DNS server this happens:

Fatal trap 12: page fault while in kernel mode
cpuid = 0; apic id = 00
fault virtual address = 0xc
fault code = supervisor read, page not present
instruction pointer = 0x20:0xc0970497
stack pointer = 0x28:0xe2ca2498
frame pointer = 0x28:0xe2ca24c4
code segment = base 0x0, limit 0xfffff, type 0x1b = DPL 0, pres 1, def32 1, gran 1
processor eflags = interrupt enabled, resume, IOPL = 0
current process = 11 (irq10: vr0)
trap number = 12
panic: page fault
cpuid = 0
Uptime: 2h35m4s
Cannot dump. Device not defined or unavailable.
Automatic reboot in 15 seconds - press a key on the console to abort
Rebooting...

All that is needed to crash the router is running "nslookup google.com. 8.8.8.8" from windows and the box will reboot. The solution is to change the gateway for this rule back to default and the problem does not occur.


Files

udp_reject_panic.png (29.7 KB) udp_reject_panic.png Jim Pingle, 05/25/2011 04:10 PM
Actions #1

Updated by Chris Buechler over 10 years ago

  • Status changed from New to Feedback
  • Target version set to 2.0
  • Affected Version set to 2.0

need backtrace

Actions #2

Updated by Jim Pingle over 10 years ago

This really does crash the box. Attaching a backtrace. I can reproduce it at will.

Actions #3

Updated by Evgeny Yurchenko over 10 years ago

I have slightly different results.
1. Setup as in the bug description - blocking rule just does not work, DNS request goes through firewall and reply is passed back to requestor.
2. The rule is blocking DNS traffic as expected when I return gateway in this rule to default.

Actions #4

Updated by Ermal Luçi over 10 years ago

Evgeny you need fragments to trigger this panic.

Actions #5

Updated by Ermal Luçi over 10 years ago

  • Status changed from New to Feedback
Actions #6

Updated by Ermal Luçi over 10 years ago

This has been fixed for now by nullifying the gateway selection silently.

Actions #7

Updated by Chris Buechler over 10 years ago

  • Category set to Operating System

Aaron - is this fixed?

Actions #8

Updated by Chris Buechler over 10 years ago

  • Status changed from Feedback to Resolved
Actions

Also available in: Atom PDF