Problem Description:
ipfilter(4), capable of stateful packet inspection, using
the "keep state" or "keep frags" rule options, will not
only maintain the state of connections, such as TCP streams
or UDP communication, it also maintains the state of
fragmented packets. When a packet fragments are received
they are cached in a hash table (and linked list). When a
fragment is received it is compared with fragments already
cached in the hash table for a match. If it does not match
the new entry is used to create a new entry in the hash
table. If on the other hand it does match, unfortunately
the wrong entry is freed, the entry in the hash table. This
results in use after free panic (and for a brief moment
prior to the panic a memory leak due to the wrong entry
being freed).
Impact:
Carefully feeding fragments that are allowed to pass by
an ipfilter(4) firewall can be used to cause a panic followed
by reboot loop denial of service attack.