From owner-freebsd-bugs@FreeBSD.ORG  Thu Sep 10 06:00:10 2009
Return-Path: <owner-freebsd-bugs@FreeBSD.ORG>
Delivered-To: freebsd-bugs@hub.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 5C8151065693
	for <freebsd-bugs@hub.freebsd.org>;
	Thu, 10 Sep 2009 06:00:10 +0000 (UTC)
	(envelope-from gnats@FreeBSD.org)
Received: from freefall.freebsd.org (freefall.freebsd.org
	[IPv6:2001:4f8:fff6::28])
	by mx1.freebsd.org (Postfix) with ESMTP id 39A5A8FC27
	for <freebsd-bugs@hub.freebsd.org>;
	Thu, 10 Sep 2009 06:00:10 +0000 (UTC)
Received: from freefall.freebsd.org (gnats@localhost [127.0.0.1])
	by freefall.freebsd.org (8.14.3/8.14.3) with ESMTP id n8A60AAE058412
	for <freebsd-bugs@freefall.freebsd.org>; Thu, 10 Sep 2009 06:00:10 GMT
	(envelope-from gnats@freefall.freebsd.org)
Received: (from gnats@localhost)
	by freefall.freebsd.org (8.14.3/8.14.3/Submit) id n8A60Ahj058409;
	Thu, 10 Sep 2009 06:00:10 GMT (envelope-from gnats)
Resent-Date: Thu, 10 Sep 2009 06:00:10 GMT
Resent-Message-Id: <200909100600.n8A60Ahj058409@freefall.freebsd.org>
Resent-From: FreeBSD-gnats-submit@FreeBSD.org (GNATS Filer)
Resent-To: freebsd-bugs@FreeBSD.org
Resent-Reply-To: FreeBSD-gnats-submit@FreeBSD.org,
	Stef Walter <stef@memberwebs.com>
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 844821065676
	for <freebsd-gnats-submit@FreeBSD.org>;
	Thu, 10 Sep 2009 05:58:33 +0000 (UTC)
	(envelope-from nobody@FreeBSD.org)
Received: from www.freebsd.org (www.freebsd.org [IPv6:2001:4f8:fff6::21])
	by mx1.freebsd.org (Postfix) with ESMTP id 59AED8FC16
	for <freebsd-gnats-submit@FreeBSD.org>;
	Thu, 10 Sep 2009 05:58:33 +0000 (UTC)
Received: from www.freebsd.org (localhost [127.0.0.1])
	by www.freebsd.org (8.14.3/8.14.3) with ESMTP id n8A5wWoC068799
	for <freebsd-gnats-submit@FreeBSD.org>; Thu, 10 Sep 2009 05:58:32 GMT
	(envelope-from nobody@www.freebsd.org)
Received: (from nobody@localhost)
	by www.freebsd.org (8.14.3/8.14.3/Submit) id n8A5wWDc068798;
	Thu, 10 Sep 2009 05:58:32 GMT (envelope-from nobody)
Message-Id: <200909100558.n8A5wWDc068798@www.freebsd.org>
Date: Thu, 10 Sep 2009 05:58:32 GMT
From: Stef Walter <stef@memberwebs.com>
To: freebsd-gnats-submit@FreeBSD.org
X-Send-Pr-Version: www-3.1
Cc: 
Subject: kern/138690: Multicast: uninited memory used in filter at
	IP_DROP_MEMBERSHIP + IP_ADD_MEMBERSHIP
X-BeenThere: freebsd-bugs@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Bug reports <freebsd-bugs.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-bugs>,
	<mailto:freebsd-bugs-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-bugs>
List-Post: <mailto:freebsd-bugs@freebsd.org>
List-Help: <mailto:freebsd-bugs-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-bugs>,
	<mailto:freebsd-bugs-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Thu, 10 Sep 2009 06:00:10 -0000


>Number:         138690
>Category:       kern
>Synopsis:       Multicast: uninited memory used in filter at IP_DROP_MEMBERSHIP + IP_ADD_MEMBERSHIP
>Confidential:   no
>Severity:       serious
>Priority:       low
>Responsible:    freebsd-bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Thu Sep 10 06:00:09 UTC 2009
>Closed-Date:
>Last-Modified:
>Originator:     Stef Walter
>Release:        8.0-BETA4
>Organization:
>Environment:
FreeBSD northstar-gate.ws.local 8.0-BETA4 FreeBSD 8.0-BETA4 #8: Thu Sep 10 05:15:49 UTC 2009     op@northstar-gate.ws.local:/usr/src/sys/i386/compile/MESHNODE  i386

>Description:
If a multicast caller does an IP_DROP_MEMBERSHIP followed by a
IP_ADD_MEMBERSHIP, often an uninitialized filter is used for the
in_mfilter passed to in_joingroup_locked() in netinet/in_mcast.c.

The IP_ADD_MEMBERSHIP and IP_DROP_MEMBERSHIP have simple in_mreq input,
and are not using SSM or any of the new IGMPv3 features.

>How-To-Repeat:
This results in the following behavior shown by ifmcstat. Before the
drop + add you can see the following groups for the northstar1
interface. Note that 224.0.0.5 (ie: OSPF-ALL.MCAST.NET) is subscribed
with an empty exclude filter as you would expect from simple ASM mode:

> > # ifmcstat -i northstar1
> > northstar1:
> > 	inet 172.28.1.66
> > 	igmpv3 flags=0<> rv 2 qi 125 qri 10 uri 3
> > 		group 224.0.0.5 mode exclude
> > 		group 224.0.0.1 mode exclude

After the drop + add, it looks like the following. Note that now
224.0.0.5 is subscribed with an empty *include* filter which results in
no packets received.

> > # ifmcstat -i northstar1
> > northstar1:
> > 	inet 172.28.1.66
> > 	igmpv3 flags=0<> rv 2 qi 125 qri 10 uri 3
> > 		group 224.0.0.1 mode exclude
> > 		group 224.0.0.5 mode include

>Fix:
Patch is attached which fixes the problem. Bruce Simpson has signed off on this patch via the freebsd-net mailing list. 

Patch attached with submission follows:

--- sys/netinet/in_mcast.c.orig	2009-08-03 08:13:06.000000000 +0000
+++ sys/netinet/in_mcast.c	2009-09-09 15:01:24.000000000 +0000
@@ -2024,6 +2050,9 @@
 			error = ENOMEM;
 			goto out_imo_free;
 		}
+	} else if (is_new) {
+		/* Old style ASM filter mode is always exclude */
+		imf_init(imf, MCAST_UNDEFINED, MCAST_EXCLUDE);
 	}
 
 	/*


>Release-Note:
>Audit-Trail:
>Unformatted: