[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

binat causes panic on FreeBSD 5.3

The version of pf included in FreeBSD 5.3 seems to have an issue with the 
handling of binat directives. Evaluation of a binat rule results in a page 
fault. By inspection, the version in OpenBSD CVS should have the same issue.
To witness the problem, use the pf.conf below and send any packet to the
target interface.
int_if = "fxp0"
binat on $int_if from to any -> ($int_if:0)
By looking at pf.c:2334, we try to access r->src.addr.p.dyn->pfid_acnt4,
when r->src.addr.p.dyn is null (since the source address is not dynamic). 
This is in pf_get_translation:
#22 0x00000000 in ?? ()
#23 0x0000000c in ?? ()
#24 0x00000000 in ?? ()
#25 0xc0460cfd in pf_get_translation (pd=0xd0ff6be4, m=0xc18e5e00, off=20,
    direction=1, kif=0xc19e8800, sn=0xd0ff6b30, saddr=0xc192302c, sport=0,
    daddr=0xc1923030, dport=5888, naddr=0xd0ff6c00, nport=0xd0ff6b36)
    at ../../../contrib/pf/net/pf.c:2336
#26 0xc04615f0 in pf_test_tcp (rm=0xd0ff6b94, sm=0x0, direction=1, kif=0xc19e8800,
    m=0xc18e5e00, off=20, h=0xc1923020, pd=0xd0ff6be4, am=0xd0ff6b98, rsm=0xd0ff6b9c,
    inp=0x0) at ../../../contrib/pf/net/pf.c:2738
#27 0xc0468853 in pf_test (dir=1, ifp=0xc18d4000, m0=0xd0ff6c80, inp=0x0)
    at ../../../contrib/pf/net/pf.c:5988
#28 0xc04718fd in pf_check_in (arg=0x0, m=0xd0ff6c80, ifp=0xc18d4000, dir=1, inp=0x0)
    at ../../../contrib/pf/net/pf_ioctl.c:3226
#29 0xc0611fdf in pfil_run_hooks (ph=0xc0829780, mp=0xd0ff6ccc, ifp=0xc18d4000, dir=1,
    inp=0x0) at ../../../net/pfil.c:137
#30 0xc0627bf9 in ip_input (m=0xc18e5e00) at ../../../netinet/ip_input.c:439
#31 0xc06109f3 in netisr_processqueue (ni=0xc0828a18) at ../../../net/netisr.c:233
#32 0xc0610bea in swi_net (dummy=0x0) at ../../../net/netisr.c:346
#33 0xc058effd in ithread_loop (arg=0xc17cc500) at ../../../kern/kern_intr.c:547
#34 0xc058e17d in fork_exit (callout=0xc058eea8 <ithread_loop>, arg=0xc17cc500,
    frame=0xd0ff6d48) at ../../../kern/kern_fork.c:811
#35 0xc072a47c in fork_trampoline () at ../../../i386/i386/exception.s:209
FreeBSD 5.2 with pf from ports is not affected.