Skip site navigation (1)Skip section navigation (2) 
Date:      Mon, 22 May 2023 21:30:08 +0000
From:      bugzilla-noreply@freebsd.org
To:        bugs@FreeBSD.org
Subject:   [Bug 271573] [panic] ip_output->in_ifaddr_broadcast NULL pointer dereference after route change
Message-ID:  <bug-271573-227@https.bugs.freebsd.org/bugzilla/>
next in thread | raw e-mail | index | archive | help 
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D271573

            Bug ID: 271573
           Summary: [panic] ip_output->in_ifaddr_broadcast NULL pointer
                    dereference after route change
           Product: Base System
           Version: 12.4-STABLE
          Hardware: Any
                OS: Any
            Status: New
          Severity: Affects Some People
          Priority: ---
         Component: kern
          Assignee: bugs@FreeBSD.org
          Reporter: vangyzen@FreeBSD.org

FreeBSD 12.4-STABLE #3 stable/12-n236157-886d82afb03

With a busy TCP flow using a non-RTF_HOST route on an IFF_BROADCAST interfa=
ce,
a "route change" operation on that route that changes the interface address=
 can
leave "ia" NULL, triggering a NULL pointer dereference.

#6  0xffffffff811020df in trap_pfault (frame=3D0xfffffe002c1e8420,=20
    usermode=3D<optimized out>, signo=3D<optimized out>, ucode=3D<optimized=
 out>)
    at /usr/src/sys/amd64/amd64/trap.c:739
#7  <signal handler called>
#8  0xffffffff80d63c64 in in_ifaddr_broadcast (in=3D..., ia=3D0x0)
    at /usr/src/sys/netinet/in.c:1003
#9  0xffffffff80d75ee6 in ip_output (m=3D<optimized out>, opt=3D<optimized =
out>,=20
    ro=3D<optimized out>, flags=3D<optimized out>, imo=3D0x0, inp=3D<optimi=
zed out>)
    at /usr/src/sys/netinet/ip_output.c:404
#10 0xffffffff80e03787 in tcp_output (tp=3D0xfffff8000c922000)
    at /usr/src/sys/netinet/tcp_output.c:1444

There may be multiple changes that contribute to this, but one in particula=
r is
commit 1ebec5faf41f, which creates a window in rtrequest1_fib_change() when
rt->rt_ifa is NULL.  In my opinion, the right fix would close that window.=
=20
This might use the wrong interface address, but it won't panic.  It also wo=
n't
use freed memory because that's prevented by the net_epoch.

This probably does not affect 13.x or later, which use nexthop.

--=20
You are receiving this mail because:
You are the assignee for the bug.=

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?bug-271573-227>