[issue225] panic in pf_purge_expired_states

Simon 'corecode' Schubert corecode at fs.ei.tum.de
Mon Jan 15 15:43:13 PST 2007

Matthew Dillon wrote:
    Also, what is the actual panic message and trap frame ?
okay, more details on this one now:

- all panics happen in the RB_REMOVE functions called from pf_purge_expired_states/RB_SCAN().
- all are null pointer dereferences in RB_REMOVE_COLOR
- it seems this is due to a "broken" rb tree layout (i.e. one black parent only having one black child)
- all states had the expire approximately 15-20 seconds before
- all states had the expire 0-2 seconds after the creation
- all states were of type IPV6_ICMP
- all states had gwy and lan address set to a very strange kind of address, like ff02:5:0:0:0:1:ff00:2 (only the last two parts seem to change sometimes), the ext address was set to ::0 (except for one)
- all states had direction = PF_IN (except for this one exception)
so this looks quite like a software bug within pf, but I am open to other suggestions.

there indeed happens to be occasional ipv6 traffic on the wire.

Serve - BSD     +++  RENT this banner advert  +++    ASCII Ribbon   /"\
Work - Mac      +++  space for low €€€ NOW!1  +++      Campaign     \ /
Party Enjoy Relax   |   http://dragonflybsd.org      Against  HTML   \
Dude 2c 2 the max   !   http://golden-apple.biz       Mail + News   / \

More information about the Bugs mailing list