From owner-freebsd-net@FreeBSD.ORG Sun Apr 9 12:55:11 2006 Return-Path: X-Original-To: net@freebsd.org Delivered-To: freebsd-net@FreeBSD.ORG Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 247BB16A401 for ; Sun, 9 Apr 2006 12:55:11 +0000 (UTC) (envelope-from bzeeb-lists@lists.zabbadoz.net) Received: from transport.cksoft.de (transport.cksoft.de [62.111.66.27]) by mx1.FreeBSD.org (Postfix) with ESMTP id 937F443D48 for ; Sun, 9 Apr 2006 12:55:10 +0000 (GMT) (envelope-from bzeeb-lists@lists.zabbadoz.net) Received: from transport.cksoft.de (localhost [127.0.0.1]) by transport.cksoft.de (Postfix) with ESMTP id 478AE20010D for ; Sun, 9 Apr 2006 14:55:08 +0200 (CEST) Received: by transport.cksoft.de (Postfix, from userid 66) id 89E26200145; Sun, 9 Apr 2006 14:55:05 +0200 (CEST) Received: from maildrop.int.zabbadoz.net (maildrop.int.zabbadoz.net [10.111.66.10]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mail.int.zabbadoz.net (Postfix) with ESMTP id 77D64444F41 for ; Sun, 9 Apr 2006 12:54:04 +0000 (UTC) Date: Sun, 9 Apr 2006 12:54:03 +0000 (UTC) From: "Bjoern A. Zeeb" X-X-Sender: bz@maildrop.int.zabbadoz.net To: FreeBSD net mailing list Message-ID: <20060409124834.F30410@maildrop.int.zabbadoz.net> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed X-Virus-Scanned: by AMaViS cksoft-s20020300-20031204bz on transport.cksoft.de Cc: Subject: sa_len of 0 in ioctl paths, etc. and bogus routes X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 09 Apr 2006 12:55:11 -0000 Hi, attached patch and description is for testing and further discussion. You can also fetch it from http://sources.zabbadoz.net/freebsd/patchset/EXPERIMENTAL/sys-net-route.c.diff ! ! These checks are needed so we do not install a route looking ! like this: ! (0) 10.111.66.200 UH tun0 => ! ! When removing this route the kernel will start to walk ! the address space which looks like a hang on amd64 because ! it'll take AGES and on 32bit arch might lead to an insta-panic ! when kernel debugging options are turned on. ! ! The problem is in rtrequest1: ! if (netmask) { ! rt_maskedcopy(dst, ndst, netmask); ! } else ! bcopy(dst, ndst, dst->sa_len); ! ! In both cases the len might be 0 if the application forgot to ! set it. This is an application error but as it can 'stall' ! your system upon removing of the bogus route it has to be ! prevented. ! If it is not ndst will be all-zero leading to above mentioned ! strange routes. ! ! I hit this twice using IOCTLs deprecated since rev. 1 of FreeBSD ! soure and still in the tree. They are descriped by Stevens and that ! might be the reason I had used them in my own code initially. ! Today I know exactly one application (after I had changed my own code) ! still using them and I just fixed usage of that. ! ! I haven't checked if this can also be triggered by using ! SIOCAIFADDR, etc. ! ! Looks good says: gnn ! Tested by: you? ! ! We should probably catch a sa_len of 0 as early as possible in ioctl paths ! too (suggested by gnn). ! Index: route.c =================================================================== RCS file: /shared/mirror/FreeBSD/r/ncvs/src/sys/net/route.c,v retrieving revision 1.114 diff -u -p -r1.114 route.c --- route.c 11 Nov 2005 16:04:48 -0000 1.114 +++ route.c 9 Apr 2006 12:12:38 -0000 @@ -499,6 +499,9 @@ rtrequest(int req, { struct rt_addrinfo info; + if (dst->sa_len == 0) + return(EINVAL); + bzero((caddr_t)&info, sizeof(info)); info.rti_flags = flags; info.rti_info[RTAX_DST] = dst; @@ -1137,6 +1140,9 @@ rtinit(struct ifaddr *ifa, int cmd, int dst = ifa->ifa_addr; netmask = ifa->ifa_netmask; } + if (dst->sa_len == 0) + return(EINVAL); + /* * If it's a delete, check that if it exists, it's on the correct * interface or we might scrub a route to another ifa which would -- Bjoern A. Zeeb bzeeb at Zabbadoz dot NeT