[issue225] panic in pf_purge_expired_states
Simon 'corecode' Schubert
corecode at fs.ei.tum.de
Mon Jan 15 15:43:13 PST 2007
Matthew Dillon wrote:
Also, what is the actual panic message and trap frame ?
okay, more details on this one now:
- all panics happen in the RB_REMOVE functions called from pf_purge_expired_states/RB_SCAN().
- all are null pointer dereferences in RB_REMOVE_COLOR
- it seems this is due to a "broken" rb tree layout (i.e. one black parent only having one black child)
- all states had the expire approximately 15-20 seconds before
- all states had the expire 0-2 seconds after the creation
- all states were of type IPV6_ICMP
- all states had gwy and lan address set to a very strange kind of address, like ff02:5:0:0:0:1:ff00:2 (only the last two parts seem to change sometimes), the ext address was set to ::0 (except for one)
- all states had direction = PF_IN (except for this one exception)
so this looks quite like a software bug within pf, but I am open to other suggestions.
there indeed happens to be occasional ipv6 traffic on the wire.
cheers
simon
--
Serve - BSD +++ RENT this banner advert +++ ASCII Ribbon /"\
Work - Mac +++ space for low €€€ NOW!1 +++ Campaign \ /
Party Enjoy Relax | http://dragonflybsd.org Against HTML \
Dude 2c 2 the max ! http://golden-apple.biz Mail + News / \
More information about the Bugs
mailing list