From owner-freebsd-bugs Mon Sep 17 8:20:11 2001 Delivered-To: freebsd-bugs@hub.freebsd.org Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21]) by hub.freebsd.org (Postfix) with ESMTP id 604ED37B405 for ; Mon, 17 Sep 2001 08:20:02 -0700 (PDT) Received: (from gnats@localhost) by freefall.freebsd.org (8.11.4/8.11.4) id f8HFK2568575; Mon, 17 Sep 2001 08:20:02 -0700 (PDT) (envelope-from gnats) Received: from mailhub.fokus.gmd.de (mailhub.fokus.gmd.de [193.174.154.14]) by hub.freebsd.org (Postfix) with ESMTP id D48CE37B417 for ; Mon, 17 Sep 2001 08:13:26 -0700 (PDT) Received: from fokus.gmd.de (beagle [193.175.132.100]) by mailhub.fokus.gmd.de (8.8.8/8.8.8) with ESMTP id RAA04012 for ; Mon, 17 Sep 2001 17:13:25 +0200 (MET DST) Received: (from hbb@localhost) by fokus.gmd.de (8.11.6/8.11.0) id f8HFDPP78343; Mon, 17 Sep 2001 17:13:25 +0200 (CEST) (envelope-from hbb) Message-Id: <200109171513.f8HFDPP78343@fokus.gmd.de> Date: Mon, 17 Sep 2001 17:13:25 +0200 (CEST) From: brandt@fokus.gmd.de Reply-To: brandt@fokus.gmd.de To: FreeBSD-gnats-submit@freebsd.org X-Send-Pr-Version: 3.113 Subject: kern/30630: Failure to check for existence of interface in if_mib.c Sender: owner-freebsd-bugs@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org >Number: 30630 >Category: kern >Synopsis: Failure to check for existence of interface in if_mib.c >Confidential: no >Severity: serious >Priority: medium >Responsible: freebsd-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: sw-bug >Submitter-Id: current-users >Arrival-Date: Mon Sep 17 08:20:02 PDT 2001 >Closed-Date: >Last-Modified: >Originator: Hartmut Brandt >Release: FreeBSD 5.0-CURRENT i386 >Organization: Frauenhofer FOKUS >Environment: System: FreeBSD beagle.fokus.gmd.de 5.0-CURRENT FreeBSD 5.0-CURRENT #0: Wed Sep 5 12:10:46 CEST 2001 hbb@beagle.fokus.gmd.de:/opt/obj/usr/src/sys/BEAGLE i386 >Description: if_mib.c:sysctl_ifdata fails to check whether the accessed interface really exists. The problem is, that since the advent of loadable modules the interface index name space may be sparse. Before loadable modules one was sure that all interfaces between 1 and if_index really exists so the check if (name[0] <= 0 || name[0] > if_index) was ok. Now it is possible to unload interface drivers so that interfaces between 1 and if_index may disappear. ifaddr_byindex(IDX) will return NULL in this case which in turn leads to a kernel panic. There may be other places in the kernel that also build on the old assumption. >How-To-Repeat: Put 2 network cards in your computer which need different drivers. Build these drivers as loadable modules and reboot. Now configure the two interfaces. Now unload the driver for the first interface and execute the test program below: # include "stdio.h" # include "err.h" # include "sys/types.h" # include "sys/sysctl.h" # include "sys/socket.h" # include "net/if.h" # include "net/if_mib.h" int main(int argc, char *argv[]) { int name[6]; size_t len; name[0] = CTL_NET; name[1] = PF_LINK; name[2] = NETLINK_GENERIC; name[3] = IFMIB_IFDATA; name[4] = 4; name[5] = IFDATA_LINKSPECIFIC; if (sysctl(name, 6, NULL, &len, NULL, 0) < 0) { err(1, "sysctl failed"); return (1); } return (0); } Watch the kernel panic. >Fix: Index: if_mib.c =================================================================== RCS file: /usr/ncvs/src/sys/net/if_mib.c,v retrieving revision 1.11 diff -r1.11 if_mib.c 86c86,87 < ifp = ifaddr_byindex(name[0])->ifa_ifp; --- > if ((ifp = ifaddr_byindex(name[0])->ifa_ifp) == NULL) > return (ENOENT); >Release-Note: >Audit-Trail: >Unformatted: To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-bugs" in the body of the message