From owner-freebsd-bugs Thu Aug 22 06:50:03 1996 Return-Path: owner-bugs Received: (from root@localhost) by freefall.freebsd.org (8.7.5/8.7.3) id GAA15700 for bugs-outgoing; Thu, 22 Aug 1996 06:50:03 -0700 (PDT) Received: (from gnats@localhost) by freefall.freebsd.org (8.7.5/8.7.3) id GAA15678; Thu, 22 Aug 1996 06:50:02 -0700 (PDT) Resent-Date: Thu, 22 Aug 1996 06:50:02 -0700 (PDT) Resent-Message-Id: <199608221350.GAA15678@freefall.freebsd.org> Resent-From: gnats (GNATS Management) Resent-To: freebsd-bugs Resent-Reply-To: FreeBSD-gnats@freefall.FreeBSD.org, mclay@weareb.org Received: from locutus.weareb.org (locutus.weareb.org [204.177.169.98]) by freefall.freebsd.org (8.7.5/8.7.3) with ESMTP id GAA15585 for ; Thu, 22 Aug 1996 06:49:24 -0700 (PDT) Received: (from mclay@localhost) by locutus.weareb.org (8.7.4/8.7.4) id IAA03462; Thu, 22 Aug 1996 08:49:29 -0500 (CDT) Message-Id: <199608221349.IAA03462@locutus.weareb.org> Date: Thu, 22 Aug 1996 08:49:29 -0500 (CDT) From: Michael Clay Reply-To: mclay@weareb.org To: FreeBSD-gnats-submit@freebsd.org X-Send-Pr-Version: 3.2 Subject: kern/1532: Crash from bug in rtrequest() (sys/net/route.c) Sender: owner-bugs@freebsd.org X-Loop: FreeBSD.org Precedence: bulk >Number: 1532 >Category: kern >Synopsis: Crash from bug in rtrequest() (sys/net/route.c) >Confidential: no >Severity: non-critical >Priority: medium >Responsible: freebsd-bugs >State: open >Class: sw-bug >Submitter-Id: current-users >Arrival-Date: Thu Aug 22 06:50:01 PDT 1996 >Last-Modified: >Originator: Michael Clay >Organization: None >Release: FreeBSD 2.1-STABLE i386 >Environment: Occurs when adding routes with no netmask info. >Description: When adding a non-host route and not specifying the netmask information for that route, the rn_walktree_from() code will attempt to dereference the null pointer for the netmask and the system will crash. This is not seen in the AF_INET address family, since the code always adds a netmask. >How-To-Repeat: The only two address families I have been working with have been AF_INET and AF_INET6, the latter being the one with which I was seeing the crash. The mods for the AF_INET6 family are available from ftp://ftp.inria.fr/network/ipv6/ as part of the IP Version 6 enablement effort. With these mods, one can crash the machine with the command: route add -inet6 ::2 ::1 I am sure that the machine can be crashed without them using a different address family, but I am not familiar enough with those families to produce a proper configuration. >Fix: Take a look at the code for rtrequest() in sys/net/route.c, near the bottom (line 511 from the 2.1.0 source base). There is an 'if' statement that calls the routine rnh->rnh_walktree_from(). The 'if' makes sure that the RTF_HOST bit is not set. If you take a look at all of the other calls to rnh_walktree_from(), you will see that a check is also being made to make sure that the netmask is non-NULL. The context diff for the fix is included here: *** route.c-new Wed Aug 21 21:39:52 1996 --- route.c-orig Wed Aug 21 21:39:05 1996 *************** *** 508,514 **** * it doesn't fire when we call it there because the node * hasn't been added to the tree yet. */ ! if (!(rt->rt_flags & RTF_HOST) && rt_mask(rt) != 0) { struct rtfc_arg arg; arg.rnh = rnh; arg.rt0 = rt; --- 508,514 ---- * it doesn't fire when we call it there because the node * hasn't been added to the tree yet. */ ! if (!(rt->rt_flags & RTF_HOST)) { struct rtfc_arg arg; arg.rnh = rnh; arg.rt0 = rt; >Audit-Trail: >Unformatted: