From owner-freebsd-stable@freebsd.org Fri Feb 3 19:05:32 2017 Return-Path: Delivered-To: freebsd-stable@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id DDC6ECCF564 for ; Fri, 3 Feb 2017 19:05:32 +0000 (UTC) (envelope-from vangyzen@FreeBSD.org) Received: from smtp.vangyzen.net (hotblack.vangyzen.net [IPv6:2607:fc50:1000:7400:216:3eff:fe72:314f]) by mx1.freebsd.org (Postfix) with ESMTP id C9BCD2F3 for ; Fri, 3 Feb 2017 19:05:32 +0000 (UTC) (envelope-from vangyzen@FreeBSD.org) Received: from ford.home.vangyzen.net (unknown [76.164.15.242]) by smtp.vangyzen.net (Postfix) with ESMTPSA id EA78056469; Fri, 3 Feb 2017 13:05:31 -0600 (CST) Subject: Re: net.inet.udp.log_in_vain strange syslog reports To: Mark Martinec , freebsd-stable@freebsd.org References: <76681a24b7935674585b5ac585f4575c@ijs.si> From: Eric van Gyzen Message-ID: Date: Fri, 3 Feb 2017 13:05:27 -0600 User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:45.0) Gecko/20100101 Thunderbird/45.6.0 MIME-Version: 1.0 In-Reply-To: <76681a24b7935674585b5ac585f4575c@ijs.si> Content-Type: text/plain; charset=windows-1252; format=flowed Content-Transfer-Encoding: 7bit X-BeenThere: freebsd-stable@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: Production branch of FreeBSD source code List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 03 Feb 2017 19:05:33 -0000 On 02/02/2017 12:55, Mark Martinec wrote: > 11.0-RELEASE-p7, net.inet.udp.log_in_vain=1 > > The following syslog entries seem to indicate some buffer overruns > in the reporting code (not all log lines are broken, just some). > > (the actual failed connection attempts were indeed there, > it's just that the reported IP address is highly suspicious) > > Mark > > > Connection attempt to UDP 193.2.4.2:53 from 95.87.1521242:26375 There is no buffer overrun, so no cause for alarm. The problem is concurrent usage of a single string buffer by multiple threads. The buffer is inside inet_ntoa(), defined in sys/libkern/inet_ntoa.c. In this case, it is called from udp_input(). Would you like to test the following patch? Eric diff --git a/sys/netinet/udp_usrreq.c b/sys/netinet/udp_usrreq.c index 173c44c..ca2dda1 100644 --- a/sys/netinet/udp_usrreq.c +++ b/sys/netinet/udp_usrreq.c @@ -674,13 +674,13 @@ udp_input(struct mbuf **mp, int *offp, int proto) INPLOOKUP_RLOCKPCB, ifp, m); if (inp == NULL) { if (udp_log_in_vain) { - char buf[4*sizeof "123"]; + char src[4*sizeof "123"]; + char dst[4*sizeof "123"]; - strcpy(buf, inet_ntoa(ip->ip_dst)); log(LOG_INFO, "Connection attempt to UDP %s:%d from %s:%d\n", - buf, ntohs(uh->uh_dport), inet_ntoa(ip->ip_src), - ntohs(uh->uh_sport)); + inet_ntoa_r(ip->ip_dst, dst), ntohs(uh->uh_dport), + inet_ntoa_r(ip->ip_src, src), ntohs(uh->uh_sport)); } UDPSTAT_INC(udps_noport); if (m->m_flags & (M_BCAST | M_MCAST)) {