From owner-freebsd-bugs@FreeBSD.ORG Fri Apr 27 17:40:09 2007 Return-Path: X-Original-To: freebsd-bugs@hub.freebsd.org Delivered-To: freebsd-bugs@hub.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 841B316A400 for ; Fri, 27 Apr 2007 17:40:09 +0000 (UTC) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [69.147.83.40]) by mx1.freebsd.org (Postfix) with ESMTP id 7352A13C455 for ; Fri, 27 Apr 2007 17:40:09 +0000 (UTC) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (gnats@localhost [127.0.0.1]) by freefall.freebsd.org (8.13.4/8.13.4) with ESMTP id l3RHe96O059234 for ; Fri, 27 Apr 2007 17:40:09 GMT (envelope-from gnats@freefall.freebsd.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.13.4/8.13.4/Submit) id l3RHe9UQ059233; Fri, 27 Apr 2007 17:40:09 GMT (envelope-from gnats) Date: Fri, 27 Apr 2007 17:40:09 GMT Message-Id: <200704271740.l3RHe9UQ059233@freefall.freebsd.org> To: freebsd-bugs@FreeBSD.org From: Maxim Konovalov Cc: Subject: Re: misc/112126: netstat segfaults on unusual ICMP statistics X-BeenThere: freebsd-bugs@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: Maxim Konovalov List-Id: Bug reports List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 27 Apr 2007 17:40:09 -0000 The following reply was made to PR bin/112126; it has been noted by GNATS. From: Maxim Konovalov To: Christoph Weber-Fahr Cc: bug-followup@freebsd.org Subject: Re: misc/112126: netstat segfaults on unusual ICMP statistics Date: Fri, 27 Apr 2007 21:37:17 +0400 (MSD) On Fri, 27 Apr 2007, 16:35+0200, Christoph Weber-Fahr wrote: > Hello, > > Maxim Konovalov wrote: > > On Fri, 27 Apr 2007, 03:50+0200, Christoph Weber-Fahr wrote: > > > Input histogram: > > > echo reply: 12 > > > destination unreachable: 1 > > > echo: 41 > > > #20: 7 > > > icmp traceroute: 16 > > > mobile registration req: 25 > > > #37: 31 > > > 8 > > > 15 > > > > > > Note the last two untagged values. They > > > are created when the kernel, which in > > > the meantime has a ICM_MAXTYPE at, say, 49, > > > has logged 8 packets of type 44, and 15 of type 47. > > > icmpstat.icps_outhist and icps_inhist are definde this way: > > > > u_long icps_outhist[ICMP_MAXTYPE + 1]; > > u_long icps_inhist[ICMP_MAXTYPE + 1]; > > > > How do you fit types > ICMP_MAXTYPE + 1 there? > > Not at all. We are debating the case when ICMP_MAXTYPE > in the kernel gets raised without adapting netstat. > > To test this you would not only have had modified ping, but also > recompiled a kernel with a modified ICMP_MAXTYPE. > > My scenario above assumed ICMP_MAXTYPE to be 49. OK, what about this version: Index: inet.c =================================================================== RCS file: /home/ncvs/src/usr.bin/netstat/inet.c,v retrieving revision 1.74 diff -u -p -r1.74 inet.c --- inet.c 26 Feb 2007 22:25:21 -0000 1.74 +++ inet.c 27 Apr 2007 17:32:01 -0000 @@ -636,26 +636,48 @@ ip_stats(u_long off __unused, const char #undef p1a } -static const char *icmpnames[] = { - "echo reply", +static const char *icmpnames[ICMP_MAXTYPE + 1] = { + "echo reply", /* RFC 792 */ "#1", "#2", - "destination unreachable", - "source quench", - "routing redirect", + "destination unreachable", /* RFC 792 */ + "source quench", /* RFC 792 */ + "routing redirect", /* RFC 792 */ "#6", "#7", - "echo", - "router advertisement", - "router solicitation", - "time exceeded", - "parameter problem", - "time stamp", - "time stamp reply", - "information request", - "information request reply", - "address mask request", - "address mask reply", + "echo", /* RFC 792 */ + "router advertisement", /* RFC 1256 */ + "router solicitation", /* RFC 1256 */ + "time exceeded", /* RFC 792 */ + "parameter problem", /* RFC 792 */ + "time stamp", /* RFC 792 */ + "time stamp reply", /* RFC 792 */ + "information request", /* RFC 792 */ + "information request reply", /* RFC 792 */ + "address mask request", /* RFC 950 */ + "address mask reply", /* RFC 950 */ + "#19", + "#20", + "#21", + "#22", + "#23", + "#24", + "#25", + "#26", + "#27", + "#28", + "#29", + "icmp traceroute", /* RFC 1393 */ + "datagram conversion error", /* RFC 1475 */ + "mobile host redirect", + "IPv6 where-are-you", + "IPv6 i-am-here", + "mobile registration req", + "mobile registration reply", + "domain name request", /* RFC 1788 */ + "domain name reply", /* RFC 1788 */ + "icmp SKIP", + "icmp photuris", /* RFC 2521 */ }; /* @@ -701,8 +723,12 @@ icmp_stats(u_long off __unused, const ch printf("\tOutput histogram:\n"); first = 0; } - printf("\t\t%s: %lu\n", icmpnames[i], - icmpstat.icps_outhist[i]); + if (icmpnames[i] != NULL) + printf("\t\t%s: %lu\n", icmpnames[i], + icmpstat.icps_outhist[i]); + else + printf("\t\tunknown ICMP #%d: %lu\n", i, + icmpstat.icps_outhist[i]); } p(icps_badcode, "\t%lu message%s with bad code fields\n"); p(icps_tooshort, "\t%lu message%s < minimum length\n"); @@ -716,8 +742,12 @@ icmp_stats(u_long off __unused, const ch printf("\tInput histogram:\n"); first = 0; } - printf("\t\t%s: %lu\n", icmpnames[i], - icmpstat.icps_inhist[i]); + if (icmpnames[i] != NULL) + printf("\t\t%s: %lu\n", icmpnames[i], + icmpstat.icps_inhist[i]); + else + printf("\t\tunknown ICMP #%d: %lu\n", i, + icmpstat.icps_inhist[i]); } p(icps_reflect, "\t%lu message response%s generated\n"); p2(icps_badaddr, "\t%lu invalid return address%s\n"); %%% I see: #28: 1 #29: 1 icmp traceroute: 1 mobile registration req: 1 mobile registration reply: 1 domain name request: 1 domain name reply: 1 icmp SKIP: 1 icmp photuris: 1 unknown ICMP #41: 1 unknown ICMP #42: 1 unknown ICMP #43: 1 -- Maxim Konovalov