lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-Id: <1383557174-19424-1-git-send-email-alex.aring@gmail.com>
Date:	Mon,  4 Nov 2013 10:26:13 +0100
From:	Alexander Aring <alex.aring@...il.com>
To:	davem@...emloft.net
Cc:	kuznet@....inr.ac.ru, jmorris@...ei.org, yoshfuji@...ux-ipv6.org,
	kaber@...sh.net, netdev@...r.kernel.org,
	Alexander Aring <alex.aring@...il.com>
Subject: [PATCH/RFC net] ipv6: probably fragmentation bug

I currently working for 6lowpan and try to use the fragmentation api like in ipv6.

Maybe I do something wrong with using the api but I don't catch any mistakes and
my sk_buff is already sent to the ipv6 layer correctly.

In a very poor connection with high payload(which is good for testing) I got a nullpointer
dereference when the fragmentation expire timer occurs.

BUG: unable to handle kernel NULL pointer dereference
at 0000000c
IP: [<c0389538>] _decode_session6+0x4f/0x1db
*pde = 00000000
Oops: 0000 [#1] SMP
Modules linked in:
CPU: 0 PID: 0 Comm: swapper/0 Not tainted
3.12.0-rc6-12694-g9ce9a7b-dirty #194
Hardware name: Bochs Bochs, BIOS Bochs 01/01/2011
task: c05007e8 ti: c7808000 task.ti: c04f6000
EIP: 0060:[<c0389538>] EFLAGS: 00210246 CPU: 0
EIP is at _decode_session6+0x4f/0x1db
EAX: 00000000 EBX: c5e602e0 ECX: 00000000 EDX: c5e65c3d
ESI: c5e602e0 EDI: c7809ee8 EBP: c7809eac ESP: c7809e70
 DS: 007b ES: 007b FS: 00d8 GS: 0000 SS: 0068
CR0: 8005003b CR2: 0000000c CR3: 07b31000 CR4: 00000690
Stack:
 00000005 00282c6c 00000001 c05232dc c5e602e0 c0095bc0 c051de00 c0360508
 c7809eac c5e602e0 c5e602e0 c037ef65 00000001 c795aa60 c795aa60 00000000
 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
Call Trace:
 [<c0360508>] ? __xfrm_decode_session+0x22/0x2f
 [<c037ef65>] ? icmpv6_route_lookup+0xa9/0x119
 [<c037f396>] ? icmp6_send+0x3c1/0x4bf
 [<c037efd5>] ? icmpv6_route_lookup+0x119/0x119
 [<c038cea6>] ? icmpv6_send+0x17/0x1a
 [<c0382fbd>] ? ip6_expire_frag_queue+0x10a/0x11b
 [<c0382fce>] ? ip6_expire_frag_queue+0x11b/0x11b
 [<c0127eda>] ? call_timer_fn.isra.28+0x13/0x58
 [<c01280bf>] ? run_timer_softirq+0x11a/0x14d
 [<c0124097>] ? __do_softirq+0x95/0x13c

Maybe this occurs because I did some mistakes in my current 6lowpan fragmentation
implementation. That's why I sending it to this mailinglist... or maybe I found a bug.

The patch fix this issue you can find the removal of skb_dst_drop(skb) which
was comming in on commit id: 97599dc792b45b1669c3cdb9a4b365aad0232f65

Maybe this wasn't a correct solution. We need the sk_buff sometimes when the expire occurs to call
the icmp6_send function.

Regards Alex

Alexander Aring (1):
  ipv6: fix fragmentation bug

 net/ipv6/reassembly.c | 1 -
 1 file changed, 1 deletion(-)

-- 
1.8.4.2

--
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ