[Bug 40] system hangs, Availability problems, maybe conntrack bug, possible reason here.

bugzilla-daemon at bugzilla.netfilter.org bugzilla-daemon at bugzilla.netfilter.org
Thu Jan 6 20:38:20 CET 2005 

https://bugzilla.netfilter.org/bugzilla/show_bug.cgi?id=40





------- Additional Comments From pmccurdy at net-itech.com  2005-01-06 20:38 MET -------
Created an attachment (id=71)
 --> (https://bugzilla.netfilter.org/bugzilla/attachment.cgi?id=71&action=view)
Patch to fix lockup 

Here is a patch to fix the problem.  My colleague Peter Zion (who deserves all
the credit for tracking this down and fixing it) sent a message to
netfilter-devel about this, but I can't find it in the archive, so here's a
copy of it:

Subject: [PATCH] PPTP connection tracking: fixed oops during PPTP connect when
interface under heavy load

Summary:

If PPTP connection tracking is running on a machine and certain PPTP
packets arrive out of order, or preceding packets never made
it to the machine, the PPTP connection tracking code will
dereference NULL pointers.  Reproduction steps are to attempt PPTP connections
to the machine on an interface under heavy load.

Reproduction:

1. Set up the vulnerable machine NATing a shared external connection to the
local network and with a PPTP daemon running that allows connections from
the external network.  It must have PPTP connection tracking enabled.

2. On a machine on the local network for which the vulnerable machine is
acting as a gateway to the external network, run hping2 about 8-15 times
simultaneously, until your ping response is around 500-800ms but with less
than 50% packet loss.  Use the following options: "hping2 -2 --destport 123
--keep -d 100 -i u1 <external address>", where <external address> is a machine
on the external network that won't mind being flooded for a few minutes.

3. On a machine on the external network, repeatedly make a PPTP
connection to the vulnerable machine.  In our experience the vulnerable
machine will oops about one in three PPTP connection attepts.


-- 
Configure bugmail: https://bugzilla.netfilter.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug, or are watching someone who is.

More information about the netfilter-buglog mailing list