From owner-freebsd-bugs@FreeBSD.ORG  Sat Jan 21 10:30:04 2006
Return-Path: <owner-freebsd-bugs@FreeBSD.ORG>
X-Original-To: freebsd-bugs@hub.freebsd.org
Delivered-To: freebsd-bugs@hub.freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id C137B16A41F
	for <freebsd-bugs@hub.freebsd.org>;
	Sat, 21 Jan 2006 10:30:04 +0000 (GMT)
	(envelope-from gnats@FreeBSD.org)
Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 13C8E43D48
	for <freebsd-bugs@hub.freebsd.org>;
	Sat, 21 Jan 2006 10:30:04 +0000 (GMT)
	(envelope-from gnats@FreeBSD.org)
Received: from freefall.freebsd.org (gnats@localhost [127.0.0.1])
	by freefall.freebsd.org (8.13.4/8.13.4) with ESMTP id k0LAU3XS088571
	for <freebsd-bugs@freefall.freebsd.org>; Sat, 21 Jan 2006 10:30:03 GMT
	(envelope-from gnats@freefall.freebsd.org)
Received: (from gnats@localhost)
	by freefall.freebsd.org (8.13.4/8.13.4/Submit) id k0LAU32Q088569;
	Sat, 21 Jan 2006 10:30:03 GMT (envelope-from gnats)
Resent-Date: Sat, 21 Jan 2006 10:30:03 GMT
Resent-Message-Id: <200601211030.k0LAU32Q088569@freefall.freebsd.org>
Resent-From: FreeBSD-gnats-submit@FreeBSD.org (GNATS Filer)
Resent-To: freebsd-bugs@FreeBSD.org
Resent-Reply-To: FreeBSD-gnats-submit@FreeBSD.org,
	Seth Kingsley <sethk@meowfishies.com>
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 66EB016A41F
	for <FreeBSD-gnats-submit@freebsd.org>;
	Sat, 21 Jan 2006 10:29:00 +0000 (GMT)
	(envelope-from sethk@magnesium.net)
Received: from toxic.magnesium.net (toxic.magnesium.net [207.154.84.15])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 3DB8C43D45
	for <FreeBSD-gnats-submit@freebsd.org>;
	Sat, 21 Jan 2006 10:29:00 +0000 (GMT)
	(envelope-from sethk@magnesium.net)
Received: by toxic.magnesium.net (Postfix, from userid 1165)
	id 05CC3DA8C0; Sat, 21 Jan 2006 02:29:00 -0800 (PST)
Message-Id: <20060121102900.05CC3DA8C0@toxic.magnesium.net>
Date: Sat, 21 Jan 2006 02:29:00 -0800 (PST)
From: Seth Kingsley <sethk@meowfishies.com>
To: FreeBSD-gnats-submit@FreeBSD.org
X-Send-Pr-Version: 3.113
Cc: 
Subject: kern/92091: [patch] IP address hash corruption bug
X-BeenThere: freebsd-bugs@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
Reply-To: Seth Kingsley <sethk@meowfishies.com>
List-Id: Bug reports <freebsd-bugs.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-bugs>,
	<mailto:freebsd-bugs-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-bugs>
List-Post: <mailto:freebsd-bugs@freebsd.org>
List-Help: <mailto:freebsd-bugs-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-bugs>,
	<mailto:freebsd-bugs-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Sat, 21 Jan 2006 10:30:05 -0000


>Number:         92091
>Category:       kern
>Synopsis:       [patch] IP address hash corruption bug
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    freebsd-bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Sat Jan 21 10:30:03 GMT 2006
>Closed-Date:
>Last-Modified:
>Originator:     Seth Kingsley
>Release:        FreeBSD 5.4-RELEASE i386
>Organization:
>Environment:
System: FreeBSD neko.home.meowfishies.com 5.4-RELEASE FreeBSD 5.4-RELEASE #1:
Sat Jan 14 22:37:52 UTC 2006
sethk@neko.home.meowfishies.com:/usr/src/sys/i386/compile/GENERIC  i386

>Description:
	You can cause a panic (page fault) by supplying a non AF_INET address
	as parameter to SIOCSIFADDR.  The command will fail, removing the
	temporary address from the IP hash, which it was never added to.

>How-To-Repeat:

#include    <sys/types.h>
#include    <sys/socket.h>
#include    <sys/sockio.h>
#include    <net/if.h>
#include    <netinet/in.h>

#include    <stdio.h>
#include    <sysexits.h>
#include    <err.h>

int
main(int ac, char *av[])
{
    const char *ifname;
    int sfd;
    struct ifreq ifr;
    register int i;

    if (ac != 2)
    {
	fprintf(stderr, "usage: %s <ifname>\n", getprogname());
	return EX_USAGE;
    }

    if ((sfd = socket(PF_INET, SOCK_DGRAM, 0)) == -1)
	err(EX_OSERR, "create socket");

    bzero(&ifr, sizeof(ifr));
    strlcpy(ifr.ifr_name, av[1], sizeof(ifr.ifr_name));
    ifr.ifr_addr.sa_len = 0;
    ifr.ifr_addr.sa_family = AF_MAX;
    for (i = 0; i < 2; ++i)
	if (ioctl(sfd, SIOCSIFADDR, &ifr) == -1)
	    err(EX_OSERR, "SIOCSIFADDR");

    close(sfd);

    return EX_OK;
}

>Fix:
	Only remove the temporary in_ifaddr structure from the hash if it is
	actually an AF_INET address:

--- /sys/netinet/in.c.orig	Sun Jan 22 02:16:39 2006
+++ /sys/netinet/in.c	Sun Jan 22 02:17:14 2006
@@ -466,7 +466,8 @@
 	s = splnet();
 	TAILQ_REMOVE(&ifp->if_addrhead, &ia->ia_ifa, ifa_link);
 	TAILQ_REMOVE(&in_ifaddrhead, ia, ia_link);
-	LIST_REMOVE(ia, ia_hash);
+	if (ia->ia_addr.sin_family == AF_INET)
+		LIST_REMOVE(ia, ia_hash);
 	IFAFREE(&ia->ia_ifa);
 	splx(s);
 
>Release-Note:
>Audit-Trail:
>Unformatted: