Skip site navigation (1)Skip section navigation (2) 
Date:      Sun, 6 Jul 1997 14:54:14 -0700 (PDT)
From:      terzis@cs..ucla.edu
To:        freebsd-gnats-submit@FreeBSD.ORG
Subject:   kern/4044: kernel crashes when ip_output() is called with a NULL route argument
Message-ID:  <199707062154.OAA07611@hub.freebsd.org>
Resent-Message-ID: <199707062200.PAA07744@hub.freebsd.org>
index | next in thread | raw e-mail 


>Number:         4044
>Category:       kern
>Synopsis:       kernel crashes when ip_output() is called with a NULL route argument
>Confidential:   no
>Severity:       serious
>Priority:       low
>Responsible:    freebsd-bugs
>State:          open
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Sun Jul  6 15:00:01 PDT 1997
>Last-Modified:
>Originator:     Andreas Terzis
>Organization:
UCLA computer Science Dept
>Release:        2.2.2-RELEASE
>Environment:
FreeBSD pear.dnrc.bell-labs.com 2.2.2-RELEASE FreeBSD 2.2.2-RELEASE #1:
Thu Jul  3 19:08:37 EDT 1997     terzis@pear.dnrc.bell-labs.com:
/devel/MIP-kernel/sys/compile/RSVP+MIP-pear  i386

>Description:
When ip_output() in netinet/ip_output.c is called with a NULL route 
argument header the kernel crashes, because a test for a NULL argument
has been removed from this version of the code. You can find the test
in older versions of the sasme file or in the Stevens book
TCP/IP Illustrated Vol. II (page 230)

>How-To-Repeat:
try to hand a packet to ip_output for forwarding with a NULL route 
argument.
>Fix:
Include a test for NULL route header.
This is what I have done and it worked:

/*
 * IP output.  The packet in mbuf chain m contains a skeletal IP
 * header (with len, off, ttl, proto, tos, src, dst).
 * The mbuf chain containing the packet will be freed.
 * The mbuf opt, if present, will not be freed.
 */
int
ip_output(m0, opt, ro, flags, imo)
        struct mbuf *m0;
        struct mbuf *opt;
        struct route *ro;
        int flags;
        struct ip_moptions *imo;
{
        struct ip *ip, *mhip;
        struct ifnet *ifp;
        struct mbuf *m = m0;
        int hlen = sizeof (struct ip);
        int len, off, error = 0;
        struct sockaddr_in *dst;
        struct in_ifaddr *ia;
        int isbroadcast;
        struct route iproute; /* ADDED */

#ifdef  DIAGNOSTIC
        if ((m->m_flags & M_PKTHDR) == 0)
                panic("ip_output no HDR");
        if (!ro)
                panic("ip_output no route, proto = %d",
                      mtod(m, struct ip *)->ip_p);
#endif
        if (opt) {
                m = ip_insertoptions(m, opt, &len);
                hlen = len;
        }
        ip = mtod(m, struct ip *);
        /*
         * Fill in IP header.
         */
        if ((flags & (IP_FORWARDING|IP_RAWOUTPUT)) == 0) {
                ip->ip_vhl = IP_MAKE_VHL(IPVERSION, hlen >> 2); 
                ip->ip_off &= IP_DF;
                ip->ip_id = htons(ip_id++);
                ipstat.ips_localout++;
        } else {
                hlen = IP_VHL_HL(ip->ip_vhl) << 2;
        }


/* ADDED test for NULL ro argument */

        if (ro == 0) { 
                ro = &iproute;
                bzero ((caddr_t) ro, sizeof(*ro));
        }

>Audit-Trail:
>Unformatted:
help

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199707062154.OAA07611>