OpenBSD Journal

Update Your Patched Firewall

Contributed by jose on from the fix0rific dept.

Seen recently on the PF mailing list:
First, this only affects you if you applied the refrag.diff to an
OpenBSD 3.1-stable system.

The bridge refragmentation code that was added in OpenBSD 3.1-current
introduced two new bugs which can lead to the following kind of kernel
panics:

  panic: m_copym0: m == 0 and not COPYALL
  panic: m_copydata: null muf

These occur only on pf bridges when scrub is enabled. While the bugs
obviously affect stability, it's uncertain whether they can be
exploited.

The relevant code (which was itself a bugfix) was not commited to the
3.1 stable branch (due to its size), but a patch against 3.1-stable
(refrag.diff) was provided and recommended to solve the initial bridge
problem.

The bugs are now fixed in 3.2-current, but if you're running 3.1-stable
with the refrag.diff patch applied, you should revert to 3.1-stable and
apply the updated patch.
The full message and the link to the patch is available in this message on the PF mailing list.

If you're out of sync with patches and are running this code branch, this may be the source of some instabilities in your firewall.

(Comments are closed)


Comments
  1. By Jedi/Sector One () j@pureftpd.org on http://www.pureftpd.org

    OpenBSD 3.1 is not affected.
    OpenBSD 3.1-STABLE is not affected.
    OpenBSD 3.2 is not released, and when it will, the patch will already be available.

    So, what's the deal?

  2. By Anonymous Coward () on

    I think this again shows that TCP/IP in the kernel is a bad idea. TCP/IP has to deal with the most dangerous input of all (untrusted crap from the net) so it should run at the lowest possible privilege level, instead of running at the highest level, which is the kernel. That is the exact opposite of what it should be doing.

Latest Articles

Credits

Copyright © - Daniel Hartmeier. All rights reserved. Articles and comments are copyright their respective authors, submission implies license to publish on this web site. Contents of the archive prior to as well as images and HTML templates were copied from the fabulous original deadly.org with Jose's and Jim's kind permission. This journal runs as CGI with httpd(8) on OpenBSD, the source code is BSD licensed. undeadly \Un*dead"ly\, a. Not subject to death; immortal. [Obs.]