Re: FreeBSD 5 ip_gre and netisr_enable=1

• Previous message: ming fu: "FreeBSD 5 ip_gre and netisr_enable=1"
• In reply to: ming fu: "FreeBSD 5 ip_gre and netisr_enable=1"
• Next in thread: Andre Oppermann: "Re: FreeBSD 5 ip_gre and netisr_enable=1"
• Reply: Andre Oppermann: "Re: FreeBSD 5 ip_gre and netisr_enable=1"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

To: freebsd-net@freebsd.org
Date: Thu, 25 Aug 2005 23:00:58 +0200

On Thursday 25 August 2005 22:10, ming fu wrote:
> Hi,
>
> This problem exit in some old gre.c (not a part of official freebsd) to
> handle wccp packets. A carefully crafted packet can cause it to deplete
> kernel stack and casuing a panic. It can crash a 4.2 kernel with about
> 200-300 repeated ip+gre header.
>
> I believe the problem appears on FreeBSD 5 with ip_gre() and
> net.isr.enable = 1. It probably easier to crash a 5.x because more calls
> are involved in FreeBSD 5 than 4.x, thus more stack can be consumed with
> the same repetition of headers.
>
> when a GRE packet gets into the ip_gre2(), its gre header is stripped
> and sent to netisr_dispatch() for ip_input() processing again. In case,
> the net.isr.enable is 1, the packet will be delivered to ip_input
> directly instead of put in the queue.
>
> If someone create a packet consists of repeated ip and gre header,
>
> ip hdr : gre hdr : ip hdr : gre hdr : ...... repeat a few
> hundred times.
>
> it can cause a loop around
> ip_gre->ip_gre2->netisr_dispatch->ip_input->ip_gre ..., not too
> difficult to deplete the kernel stack.
>
> It only takes 24 bytes to force the kernel to go one round through these
> calls.
>
> Any suggestion of how to fix this?
>
> send the gre stripped packet to netisr_queue() is an easy, albeit slow
> solution.
>
> I fix the older gre.c file by making sure the inner packet is not a GRE
> before deliver to ip_input. However, it was ugly to parse the inner
> header of in ip_gre2().

You could use an mbuf_tag to keep track of recursion in the same way it is
done in gif. There is certainly some overhead involved as well, however.

-- 
/"\  Best regards,                      | mlaier@freebsd.org
\ /  Max Laier                          | ICQ #67774661
 X   http://pf4freebsd.love2party.net/  | mlaier@EFnet
/ \  ASCII Ribbon Campaign              | Against HTML Mail and News

• application/pgp-signature attachment: stored

• Previous message: ming fu: "FreeBSD 5 ip_gre and netisr_enable=1"
• In reply to: ming fu: "FreeBSD 5 ip_gre and netisr_enable=1"
• Next in thread: Andre Oppermann: "Re: FreeBSD 5 ip_gre and netisr_enable=1"
• Reply: Andre Oppermann: "Re: FreeBSD 5 ip_gre and netisr_enable=1"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Relevant Pages [Full-disclosure] Cisco IOS GRE issue ... Cisco IOS ... Cisco Systems IOS contains a bug when parsing GRE packets ... A specially crafter GRE packet ... The resulting packet is reinjected in the routing ... (Full-Disclosure) Cisco IOS GRE issue ... Cisco IOS ... Cisco Systems IOS contains a bug when parsing GRE packets ... A specially crafter GRE packet ... The resulting packet is reinjected in the routing ... (Bugtraq) Re: GRE Mux ... PPTP is, essentially, PPP over GRE, so we have large numbers of packets passing in and out using GRE. ... The packet is bounced from one netgraph node to another until one of them accepts it or the packet falls off the end of the chain. ... (freebsd-net) ipsec gre mtu ... Hi, I am using fedora core 5, with gre over ipsec with ospf. ... noticed that there are alot of questions regarding packet fragmentation ... Out side interfaces mtu 1500, but the frame size does not exceed 1510? ... Max packet size is 1496 ... (comp.os.linux.networking)