Bug #13338: OpenVPN DCO panics with short UDP packets - pfSense Plus - pfSense bugtracker

Bug #13338

If a UDP packet directed towards an active OpenVPN socket is received which is too short to contain an OpenVPN header, a panic is triggered. 

 <pre> 
 db:0:kdb.enter.default>    show pcpu 
 cpuid          = 0 
 dynamic pcpu = 0x9a9140 
 curthread      = 0xfffff800046fd000: pid 0 tid 100079 "if_io_tqg_0" 
 curpcb         = 0xfffff800046fd5a0 
 fpcurthread    = none 
 idlethread     = 0xfffff80004662000: tid 100003 "idle: cpu0" 
 curpmap        = 0xffffffff83690da8 
 tssp           = 0xffffffff8371aea0 
 commontssp     = 0xffffffff8371aea0 
 rsp0           = 0xfffffe00005a7cc0 
 kcr3           = 0x8000000003d1b003 
 ucr3           = 0xffffffffffffffff 
 scr3           = 0x54cfca9f4 
 gs32p          = 0xffffffff837216b8 
 ldt            = 0xffffffff837216f8 
 tss            = 0xffffffff837216e8 
 tlb gen        = 485921 
 curvnet        = 0xfffff80004108b40 
 db:0:kdb.enter.default>    bt 
 Tracing pid 0 tid 100079 td 0xfffff800046fd000 
 kdb_enter() at kdb_enter+0x37/frame 0xfffffe00005a7340 
 vpanic() at vpanic+0x194/frame 0xfffffe00005a7390 
 panic() at panic+0x43/frame 0xfffffe00005a73f0 
 trap_fatal() at trap_fatal+0x38f/frame 0xfffffe00005a7450 
 trap_pfault() at trap_pfault+0x4f/frame 0xfffffe00005a74b0 
 calltrap() at calltrap+0x8/frame 0xfffffe00005a74b0 
 --- trap 0xc, rip = 0xffffffff80e14d74, rsp = 0xfffffe00005a7580, rbp = 0xfffffe00005a75b0 --- 
 m_copydata() at m_copydata+0x74/frame 0xfffffe00005a75b0 
 ovpn_udp_input() at ovpn_udp_input+0x6c/frame 0xfffffe00005a7650 
 udp_append() at udp_append+0x5b/frame 0xfffffe00005a76d0 
 udp_input() at udp_input+0x926/frame 0xfffffe00005a77c0 
 ip_input() at ip_input+0x16e/frame 0xfffffe00005a7870 
 netisr_dispatch_src() at netisr_dispatch_src+0xb9/frame 0xfffffe00005a78c0 
 ether_demux() at ether_demux+0x16a/frame 0xfffffe00005a78f0 
 ether_nh_input() at ether_nh_input+0x33b/frame 0xfffffe00005a7950 
 netisr_dispatch_src() at netisr_dispatch_src+0xb9/frame 0xfffffe00005a79a0 
 ether_input() at ether_input+0x89/frame 0xfffffe00005a7a00 
 iflib_rxeof() at iflib_rxeof+0xaa6/frame 0xfffffe00005a7ae0 
 _task_fn_rx() at _task_fn_rx+0x72/frame 0xfffffe00005a7b20 
 gtaskqueue_run_locked() at gtaskqueue_run_locked+0x121/frame 0xfffffe00005a7b80 
 gtaskqueue_thread_loop() at gtaskqueue_thread_loop+0xd2/frame 0xfffffe00005a7bb0 
 fork_exit() at fork_exit+0x7e/frame 0xfffffe00005a7bf0 
 fork_trampoline() at fork_trampoline+0xe/frame 0xfffffe00005a7bf0 
 --- trap 0, rip = 0, rsp = 0, rbp = 0 --- 
 </pre>

Back

Project

General

Profile

pfSense » pfSense Plus

Bug #13338