kern/166372: [patch] ipfilter drops UDP packets with zero checksum on some interfaces

Sat, 24 Mar 2012 04:30:29 -0700 

>Number:         166372
>Category:       kern
>Synopsis:       [patch] ipfilter drops UDP packets with zero checksum on some 
>interfaces
>Confidential:   no
>Severity:       non-critical
>Priority:       low
>Responsible:    freebsd-bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Sat Mar 24 11:30:10 UTC 2012
>Closed-Date:
>Last-Modified:
>Originator:     Manuel Kasper
>Release:        8.2-RELEASE
>Organization:
>Environment:
FreeBSD builder82.m0n0.ch 8.2-RELEASE-p3 FreeBSD 8.2-RELEASE-p3 #0: Tue Sep 27 
18:07:27 UTC 2011     
[email protected]:/usr/obj/usr/src/sys/GENERIC  i386
>Description:
When using ipfilter with certain network interfaces (if_vr and if_bge are known 
to be affected), UDP packets with zero checksum are dropped (ipmon log entries 
show "bad"). This causes problems in applications that use such packets, such 
as the common Cisco VPN.

The problem is that not all drivers set csum_data to 0xffff for packets with 
zero UDP checksum, so the code in sys/contrib/ipfilter/netinet/ip_fil_freebsd.c 
should check for zero UDP checksums first.

The attached patch solves the issue.
>How-To-Repeat:

>Fix:
See attached patch.

Patch attached with submission follows:

--- sys/contrib/ipfilter/netinet/ip_fil_freebsd.c.orig  2010-12-21 
18:09:25.000000000 +0100
+++ sys/contrib/ipfilter/netinet/ip_fil_freebsd.c       2012-03-24 
12:10:52.000000000 +0100
@@ -1352,6 +1352,18 @@
        ip = fin->fin_ip;
 
        if (m->m_pkthdr.csum_flags & CSUM_DATA_VALID) {
+               /* UDP may have zero checksum */
+               if (fin->fin_p == IPPROTO_UDP && (fin->fin_flx & 
(FI_FRAG|FI_SHORT|FI_BAD)) == 0) {
+                       udphdr_t *udp = fin->fin_dp;
+                       if (udp->uh_sum == 0) {
+                               /* we're good no matter what the hardware 
checksum flags
+                                  and csum_data say (handling of csum_data for 
zero UDP
+                                  checksum is not consistent across all 
drivers) */
+                               fin->fin_cksum = 1;
+                               return;
+                       }
+               }
+
                if (m->m_pkthdr.csum_flags & CSUM_PSEUDO_HDR)
                        sum = m->m_pkthdr.csum_data;
                else


>Release-Note:
>Audit-Trail:
>Unformatted:
_______________________________________________
[email protected] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-bugs
To unsubscribe, send any mail to "[email protected]"

Reply via email to