FreeBSD 5 ip_gre and netisr_enable=1

• Previous message: Patrick Lindholm: "Routing?"
• Next in thread: Max Laier: "Re: FreeBSD 5 ip_gre and netisr_enable=1"
• Reply: Max Laier: "Re: FreeBSD 5 ip_gre and netisr_enable=1"
• Reply: Robert Watson: "Re: FreeBSD 5 ip_gre and netisr_enable=1"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Date: Thu, 25 Aug 2005 16:10:11 -0400
To: freebsd-net@freebsd.org

Hi,

This problem exit in some old gre.c (not a part of official freebsd) to
handle wccp packets. A carefully crafted packet can cause it to deplete
kernel stack and casuing a panic. It can crash a 4.2 kernel with about
200-300 repeated ip+gre header.

I believe the problem appears on FreeBSD 5 with ip_gre() and
net.isr.enable = 1. It probably easier to crash a 5.x because more calls
are involved in FreeBSD 5 than 4.x, thus more stack can be consumed with
the same repetition of headers.

when a GRE packet gets into the ip_gre2(), its gre header is stripped
and sent to netisr_dispatch() for ip_input() processing again. In case,
the net.isr.enable is 1, the packet will be delivered to ip_input
directly instead of put in the queue.

If someone create a packet consists of repeated ip and gre header,

    ip hdr : gre hdr : ip hdr : gre hdr : ...... repeat a few
hundred times.

it can cause a loop around
ip_gre->ip_gre2->netisr_dispatch->ip_input->ip_gre ..., not too
difficult to deplete the kernel stack.

It only takes 24 bytes to force the kernel to go one round through these
calls.

Any suggestion of how to fix this?

send the gre stripped packet to netisr_queue() is an easy, albeit slow
solution.

I fix the older gre.c file by making sure the inner packet is not a GRE
before deliver to ip_input. However, it was ugly to parse the inner
header of in ip_gre2().

Regards,
Ming
_______________________________________________
freebsd-net@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-net
To unsubscribe, send any mail to "freebsd-net-unsubscribe@freebsd.org"

• Previous message: Patrick Lindholm: "Routing?"
• Next in thread: Max Laier: "Re: FreeBSD 5 ip_gre and netisr_enable=1"
• Reply: Max Laier: "Re: FreeBSD 5 ip_gre and netisr_enable=1"
• Reply: Robert Watson: "Re: FreeBSD 5 ip_gre and netisr_enable=1"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Relevant Pages Re: add field to skb header ... > I'm working in the 2.4.20 kernel. ... > This serial number will be added to every IP packet, ... how can I add a field to the IP header? ... Tauno Voipio ... (comp.os.linux.networking) Re: Kernel panic due to NF_IP_LOCAL_OUT handler calling itself again ... When you receive the icmp dest unreach message, do you drop it or inform the ... > option, I am using kernel 2.6.5, without smp and preemption support. ... describing the source route and the route error. ... Also every src routed packet carries with it ... (comp.os.linux.networking) ng_netflow and router performance question ... and 25K different flows the router looses most of the packets. ... When packet do not pass ng_netgraph router handles 60K pkt/s just fine. ... what kernel and set of ip stack optimization options were used. ... (freebsd-net) CONFIG_PACKET_MMAP revisited ... I've been looking into faster ways to do packet captures and I stumbled on ... In that discussion Jamie Lokier suggested having a memory buffer that's ... shared between user and kernel space and having the NIC do DMA transfers ... (Linux-Kernel) [PATCH 2.6.15.4 1/1][RFC] ipt_owner: inode match supporting both incoming and outgoing packets ... I am not familiar with kernel internals, so please correct me where I am ... filter packets by the program who is going to receive the packet ... when multiple programs share a socket, ... struct vfsmount **mnt) ... (Linux-Kernel)