IPFilter crashed on Solaris 8 during a stress
test.
I found the reason is due to a NULL pointer dereference in
static void nat_delete(nat, logtype)
when calling
fr_deletequeueentry(&nat->nat_tqe);
It appeared *nat->nat_tqe is NULL at that time as shown with MDB.
panic[cpu0]/thread=2a1001c5d20:
0x300114d6580: BAD TRAP: type=31 rp=2a1001c4200 addr=0 mmu_fsr=0
occurred in module "unix" due to a NULL pointer dereference
%l4-7: 0000000000001fb0 00000000104b54ec 0000000000000006
000002a1001c4200
0x30006900543: 000002a1001c42a0 ipf:fr_deletequeueentry+8 (3000dd42960,
0, 53555554, 0, 97cdf700, 0)
0x300068fc0e3: %l0-3: 0000000000000040 000003000dd42a08 000002a1001c4314
0000000000000000
%l4-7: 000002a1001c4310 0000000000000000 000002a10009dd20
0000000000000000
0x300082b98c3: 000002a1001c4360 ipf:nat_delete+178 (3000dd428c0, ffff,
0, 104b54c8, 0, 104b54c8)
0x300082b8843: %l0-3: 0000000000000000 000003000dd42920 0000000000005c5c
000003000dd428c0
%l4-7: 000003000dd42a0a 000003000dd428c0 000003000dd428e8
0000000000000001
0x300078902a3: 000002a1001c4440 ipf:fr_natderef+48 (2a1001c46b8,
2a1001c461c, 2a1001c4628, 104b7128, 1, 3000dd428c0)
> 3000dd42960::whatis
3000dd42960 is 3000dd428c0+a0, allocated from kmem_alloc_512
> 3000dd42960::dump
\/ 1 2 3 4 5 6 7 8 9 a b c d e f v123456789abcdef
3000dd42960 00 00 00 00 00 00 00 00 00 00 03 00 09 e8 2b
58 ..............+X
One possible fix would be check if nat->nat_tqe is not NULL as
if (nat->nat_tqe)
fr_deletequeueentry(&nat->nat_tqe);
I have a question, what can cause nat->nat_tqe = NULL but the rest of
nat entry is valid?
Thanks,
Andrew Zhu
I found the reason is due to a NULL pointer dereference in
static void nat_delete(nat, logtype)
when calling
fr_deletequeueentry(&nat->nat_tqe);
It appeared *nat->nat_tqe is NULL at that time as shown with MDB.
panic[cpu0]/thread=2a1001c5d20:
0x300114d6580: BAD TRAP: type=31 rp=2a1001c4200 addr=0 mmu_fsr=0
occurred in module "unix" due to a NULL pointer dereference
%l4-7: 0000000000001fb0 00000000104b54ec 0000000000000006
000002a1001c4200
0x30006900543: 000002a1001c42a0 ipf:fr_deletequeueentry+8 (3000dd42960,
0, 53555554, 0, 97cdf700, 0)
0x300068fc0e3: %l0-3: 0000000000000040 000003000dd42a08 000002a1001c4314
0000000000000000
%l4-7: 000002a1001c4310 0000000000000000 000002a10009dd20
0000000000000000
0x300082b98c3: 000002a1001c4360 ipf:nat_delete+178 (3000dd428c0, ffff,
0, 104b54c8, 0, 104b54c8)
0x300082b8843: %l0-3: 0000000000000000 000003000dd42920 0000000000005c5c
000003000dd428c0
%l4-7: 000003000dd42a0a 000003000dd428c0 000003000dd428e8
0000000000000001
0x300078902a3: 000002a1001c4440 ipf:fr_natderef+48 (2a1001c46b8,
2a1001c461c, 2a1001c4628, 104b7128, 1, 3000dd428c0)
> 3000dd42960::whatis
3000dd42960 is 3000dd428c0+a0, allocated from kmem_alloc_512
> 3000dd42960::dump
\/ 1 2 3 4 5 6 7 8 9 a b c d e f v123456789abcdef
3000dd42960 00 00 00 00 00 00 00 00 00 00 03 00 09 e8 2b
58 ..............+X
One possible fix would be check if nat->nat_tqe is not NULL as
if (nat->nat_tqe)
fr_deletequeueentry(&nat->nat_tqe);
I have a question, what can cause nat->nat_tqe = NULL but the rest of
nat entry is valid?
Thanks,
Andrew Zhu
