Project

General

Profile

Actions

Bug #2538

open

ipfilter breaks fragment cache table

Added by Ichiko Sakamoto over 10 years ago.

Status:
New
Priority:
Normal
Assignee:
-
Category:
-
Start date:
2012-03-26
Due date:
% Done:

0%

Estimated time:
Difficulty:
Medium
Tags:
needs-triage
Gerrit CR:

Description

Ipf fragment cache table is protected by rwlock.
Although fr_fraglookup() modifies the cache list, it is called within read lock.

illumos-gate/usr/src/uts/common/inet/ipf/ip_frag.c

    492 static ipfr_t *fr_fraglookup(fin, table)
    493 fr_info_t *fin;
    494 ipfr_t *table[];
    495 {
    ...
    553                 /*
    554                  * Move fragment info. to the top of the list
    555                  * to speed up searches.  First, delink...
    556                  */
    557                 fp = f->ipfr_hprev;
    558                 (*fp) = f->ipfr_hnext;
    559                 if (f->ipfr_hnext != NULL)
    560                     f->ipfr_hnext->ipfr_hprev = fp;
    561                 /*
    562                  * Then put back at the top of the chain.
    563                  */
    564                 f->ipfr_hnext = table[idx];
    565                 table[idx]->ipfr_hprev = &f->ipfr_hnext;
    566                 f->ipfr_hprev = table + idx;
    567                 table[idx] = f;
    ...

    662 frentry_t *fr_knownfrag(fin, passp)
    663 fr_info_t *fin;
    664 u_32_t *passp;
    665 {
    666     frentry_t *fr = NULL;
    667     ipfr_t    *fra;
    668     u_32_t pass, oflx;
    669     ipf_stack_t *ifs = fin->fin_ifs;
    670 
    671     if (ifs->ifs_fr_frag_lock || (ifs->ifs_ipfr_list == NULL))
    672         return NULL;
    673 
--> 674     READ_ENTER(&ifs->ifs_ipf_frag);
    675     oflx = fin->fin_flx;
    676     fra = fr_fraglookup(fin, ifs->ifs_ipfr_heads);

This causes kernel panic or busy cpu loop.

No data to display

Actions

Also available in: Atom PDF