Date: Thu, 22 Aug 1996 08:49:29 -0500 (CDT) From: Michael Clay <mclay@weareb.org> To: FreeBSD-gnats-submit@freebsd.org Subject: kern/1532: Crash from bug in rtrequest() (sys/net/route.c) Message-ID: <199608221349.IAA03462@locutus.weareb.org> Resent-Message-ID: <199608221350.GAA15678@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
>Number: 1532 >Category: kern >Synopsis: Crash from bug in rtrequest() (sys/net/route.c) >Confidential: no >Severity: non-critical >Priority: medium >Responsible: freebsd-bugs >State: open >Class: sw-bug >Submitter-Id: current-users >Arrival-Date: Thu Aug 22 06:50:01 PDT 1996 >Last-Modified: >Originator: Michael Clay >Organization: None >Release: FreeBSD 2.1-STABLE i386 >Environment: Occurs when adding routes with no netmask info. >Description: When adding a non-host route and not specifying the netmask information for that route, the rn_walktree_from() code will attempt to dereference the null pointer for the netmask and the system will crash. This is not seen in the AF_INET address family, since the code always adds a netmask. >How-To-Repeat: The only two address families I have been working with have been AF_INET and AF_INET6, the latter being the one with which I was seeing the crash. The mods for the AF_INET6 family are available from ftp://ftp.inria.fr/network/ipv6/ as part of the IP Version 6 enablement effort. With these mods, one can crash the machine with the command: route add -inet6 ::2 ::1 I am sure that the machine can be crashed without them using a different address family, but I am not familiar enough with those families to produce a proper configuration. >Fix: Take a look at the code for rtrequest() in sys/net/route.c, near the bottom (line 511 from the 2.1.0 source base). There is an 'if' statement that calls the routine rnh->rnh_walktree_from(). The 'if' makes sure that the RTF_HOST bit is not set. If you take a look at all of the other calls to rnh_walktree_from(), you will see that a check is also being made to make sure that the netmask is non-NULL. The context diff for the fix is included here: *** route.c-new Wed Aug 21 21:39:52 1996 --- route.c-orig Wed Aug 21 21:39:05 1996 *************** *** 508,514 **** * it doesn't fire when we call it there because the node * hasn't been added to the tree yet. */ ! if (!(rt->rt_flags & RTF_HOST) && rt_mask(rt) != 0) { struct rtfc_arg arg; arg.rnh = rnh; arg.rt0 = rt; --- 508,514 ---- * it doesn't fire when we call it there because the node * hasn't been added to the tree yet. */ ! if (!(rt->rt_flags & RTF_HOST)) { struct rtfc_arg arg; arg.rnh = rnh; arg.rt0 = rt; >Audit-Trail: >Unformatted:
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199608221349.IAA03462>