Date: Mon, 30 Jul 2001 17:14:04 -0700 (PDT) From: Richard Andrades <richard@xebeo.com> To: freebsd-gnats-submit@FreeBSD.org Subject: kern/29337: If no IP addresses are configured, received ping will crash the kernel. Message-ID: <200107310014.f6V0E4m01931@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
>Number: 29337
>Category: kern
>Synopsis: If no IP addresses are configured, received ping will crash the kernel.
>Confidential: no
>Severity: serious
>Priority: low
>Responsible: freebsd-bugs
>State: open
>Quarter:
>Keywords:
>Date-Required:
>Class: sw-bug
>Submitter-Id: current-users
>Arrival-Date: Mon Jul 30 17:20:00 PDT 2001
>Closed-Date:
>Last-Modified:
>Originator: Richard Andrades
>Release: RELENG_4_1_1_RELEASE (Revision 1.1.2.2)
>Organization:
Xebeo Communications, Inc.
>Environment:
FreeBSD X2.xebeo.com 4.1.1 FreeBSD 4.1.1 #11: Tue Jul 17 14:47:29 EDT 2001 richard@X2.xebeo.com:/net/scratch/richard/kern/kernel/sys/compile/GENERIC i386
>Description:
If a FreeBSD system does not have ANY IP addresses configured
on any interface, and if it receives a unicast ping packet, it
will crash trying to dereference a NULL pointer.
>How-To-Repeat:
This problem requires some work to recreate. My kernel is
compiled to disable IPv6 support. I was unable to reproduce
it on a regular kernel with IPv6 support.
Take a FreeBSD system with NO IP addresses on ANY interface
(I could not do this if IPv6 was enabled).
Set the loopback interface UP but do not assign it an IP
address.
Add the folloing route:
route add 127.0.0.1 -interface lo0
Ping the address.
ping 127.0.0.1
The kernel will crash within icmp_reflect()
>Fix:
Note: I checked the latest version and this bug has not yet been fixed.
FILE: src/sys/netinet/ip_icmp.c
Function: icmp_reflect()
-----Begin code fragment-----------------------
/*
* The following happens if the packet was not addressed to us,
* and was received on an interface with no IP address.
*/
if (ia == (struct in_ifaddr *)0)
ia = in_ifaddrhead.tqh_first;
/* Begin BUG FIX */
if (ia == (struct in_ifaddr *)0){
m_freem(m);
goto done; /* Abandon - or we will crash */
}
/* End BUG FIX */
t = IA_SIN(ia)->sin_addr;
--------------End code fragment-----------------
Explanation:
************
In the function ip_input() in the file src/sys/netinet/ip_input.c,
there is the following code fragment:
--------------------------------------
/*
* Check our list of addresses, to see if the packet is for us.
* If we don't have any addresses, assume any unicast packet
* we receive might be for us (and let the upper layers deal
* with it).
*/
if (TAILQ_EMPTY(&in_ifaddrhead) &&
(m->m_flags & (M_MCAST|M_BCAST)) == 0)
goto ours;
---------------------------------------
So if the system does not have any IP addresses configured and
if a ping packet arrives with a unicast destination address, the
above code fragment will hand if off to icmp_input() which
will pass it on the icmp_reflect() which will crash trying
to deference the in_ifaddrhead pointer which is NULL.
>Release-Note:
>Audit-Trail:
>Unformatted:
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-bugs" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200107310014.f6V0E4m01931>