Darren Reed wrote:
To test this bug, I use the following rule:
bimap zx0 0/0 -> 1.1.1.3
and put that in a file called "tcpfrag.nat", with this block of text:
[out,zx0]
4500 00a0 0000 0100 3f06 7555 0101 0101 0201 0101
0401 0019 0000 0000 0000 0000 5010 2000 86b7 0000
0000 0000 0000 0000 0000 0000 0000 0000 0000 0000
0000 0000 0000 0000 0000 0000 0000 0000 0000 0000
0000 0000 0000 0000 0000 0000 0000 0000 0000 0000
0000 0000 0000 0000 0000 0000 0000 0000 0000 0000
0000 0000 0000 0000 0000 0000 0000 0000 0000 0000
0000 0000 0000 0000 0000 0000 0000 0000 0000 0000
put that in a file (with trailing blank line) called "tcpfrag.pkt"
and then run ipftest;
$ ipftest -F hex -N tcpfrag.nat -i tcpfrag.pkt
Segmentation fault (core dumped)
I'll add this as a test case when I commit the fix for the bug.
Cheers,
Darren
Hi Darren,
I am now getting the following panic:
Fatal trap 12: page fault while in kernel mode
cpuid = 0; apic id = 00
fault virtual address = 0x1c
fault code = supervisor write, page not present
instruction pointer = 0x20:0xc06404ba
stack pointer = 0x28:0xc75169f8
frame pointer = 0x28:0xc75169f8
code segment = base 0x0, limit 0xfffff, type 0x1b
= DPL 0, pres 1, def32 1, gran 1
processor eflags = interrupt enabled, resume, IOPL = 0
current process = 13 (swi1: net)
trap number = 12
panic: page fault
cpuid = 0
Uptime: 1h4m48s
Dumping 111 MB (2 chunks)
chunk 0: 1MB (159 pages) ... ok
chunk 1: 111MB (28400 pages) 95 79 63 47 31 15
#0 doadump () at pcpu.h:165
165 __asm __volatile("movl %%fs:0,%0" : "=r" (td));
(kgdb) add-symbol-file
/mnt/src/ip_fil4.1.26/BSD/FreeBSD-6.1-STABLE-i386/ipf.ko 0xc0b3b084
add symbol table from file
"/mnt/src/ip_fil4.1.26/BSD/FreeBSD-6.1-STABLE-i386/ipf.ko" at
.text_addr = 0xc0b3b084
(y or n) y
Reading symbols from
/mnt/src/ip_fil4.1.26/BSD/FreeBSD-6.1-STABLE-i386/ipf.ko...done.
(kgdb) bt
#0 doadump () at pcpu.h:165
#1 0xc06492b2 in boot (howto=260) at ../../../kern/kern_shutdown.c:409
#2 0xc06495d9 in panic (fmt=0xc0910386 "%s") at
../../../kern/kern_shutdown.c:565
#3 0xc082d99c in trap_fatal (frame=0xc75169b8, eva=28) at
../../../i386/i386/trap.c:837
#4 0xc082d6db in trap_pfault (frame=0xc75169b8, usermode=0, eva=28)
at ../../../i386/i386/trap.c:745
#5 0xc082d335 in trap (frame=
{tf_fs = 8, tf_es = 40, tf_ds = 40, tf_edi = 0, tf_esi =
-1061813396, tf_ebp = -950965768, tf_isp = -950965788, tf_ebx =
-1032953240, tf_edx = -1048515968, tf_ecx = 0, tf_eax = 4, tf_trapno =
12, tf_err = 2, tf_eip = -1067187014, tf_cs = 32, tf_eflags = 590466,
tf_esp = -950965720, tf_ss = -1061944816}) at
../../../i386/i386/trap.c:435
#6 0xc08198fa in calltrap () at ../../../i386/i386/exception.s:139
#7 0xc06404ba in _mtx_lock_flags (m=0x0, opts=0, file=0xc0b5a16f
"../../fil.c", line=5222) at atomic.h:146
#8 0xc0b40210 in fr_movequeue (tqe=0xc26e6268, oifq=0x0,
nifq=0xc0b6036c) at ../../fil.c:5222
#9 0xc0b4d81b in fr_tcp_age (tqe=0xc26e6268, fin=0x4, tqtab=0x4,
flags=0, seqnext=0) at ../../ip_state.c:3605
#10 0xc0b468aa in nat_update (fin=0xc7516b40, nat=0xc26e6200,
np=0xc94d76c) at ../../ip_nat.c:3666
#11 0xc0b473db in fr_natin (fin=0xc7516b40, nat=0xc26e6200, natadd=0,
nflags=1) at ../../ip_nat.c:4244
#12 0xc0b47208 in fr_checknatin (fin=0xc7516b40, passp=0xc7516b3c) at
../../ip_nat.c:4124
#13 0xc0b3da71 in fr_check (ip=0xc1c32010, hlen=20, ifp=0x4, out=0,
mp=0xc7516c48) at ../../fil.c:2568
#14 0xc0b3b0c1 in fr_check_wrapper (arg=0x0, mp=0xc180ea80,
ifp=0xc1915c00, dir=1) at ip_fil.c:176
#15 0xc06c336f in pfil_run_hooks (ph=0xc0a12300, mp=0xc7516ca8,
ifp=0xc1915c00, dir=1, inp=0x0) at ../../../net/pfil.c:139
#16 0xc06ff42a in ip_input (m=0xc1c02d00) at
../../../netinet/ip_input.c:468
#17 0xc06c1f1b in netisr_processqueue (ni=0xc0a0f818) at
../../../net/netisr.c:236
#18 0xc06c211a in swi_net (dummy=0x0) at ../../../net/netisr.c:349
#19 0xc0633e91 in ithread_execute_handlers (p=0xc180d648,
ie=0xc1834000) at ../../../kern/kern_intr.c:682
#20 0xc0633fa1 in ithread_loop (arg=0xc17eb8d0) at
../../../kern/kern_intr.c:765
#21 0xc0632c45 in fork_exit (callout=0xc0633f4c <ithread_loop>,
arg=0xc17eb8d0, frame=0xc7516d38) at ../../../kern/kern_fork.c:821
#22 0xc081995c in fork_trampoline () at ../../../i386/i386/exception.s:208
(kgdb)
Should we not stop in this situation and return -1.
Steve
