From owner-freebsd-commit  Sun Jul  2 16:57:59 1995
Return-Path: commit-owner
Received: (from majordom@localhost)
          by freefall.cdrom.com (8.6.10/8.6.6) id QAA13382
          for commit-outgoing; Sun, 2 Jul 1995 16:57:59 -0700
Received: (from majordom@localhost)
          by freefall.cdrom.com (8.6.10/8.6.6) id QAA13369
          for cvs-sys-outgoing; Sun, 2 Jul 1995 16:57:50 -0700
Received: from disperse.demon.co.uk (disperse.demon.co.uk [158.152.1.77])
          by freefall.cdrom.com (8.6.10/8.6.6) with SMTP id QAA13361
          ; Sun, 2 Jul 1995 16:57:45 -0700
Received: from post.demon.co.uk by disperse.demon.co.uk id aa21625;
          3 Jul 95 0:05 +0100
Received: from bagpuss.demon.co.uk by post.demon.co.uk id aa18019;
          3 Jul 95 0:05 +0100
Received: (karl@localhost) by bagpuss.demon.co.uk (3.1/3.1) id UAA05771; Sun, 2 Jul 1995 20:41:05 +0100
From: Karl Strickland <karl@bagpuss.demon.co.uk>
Message-Id: <199507021941.UAA05771@bagpuss.demon.co.uk>
Subject: Re: cvs commit: src/sys/netinet ip_output.c
To: "Rodney W. Grimes" <rgrimes@gndrsh.aac.dev.com>
Date: Sun, 2 Jul 1995 20:41:04 +0100 (BST)
Cc: joerg@freefall.cdrom.com, CVS-commiters@freefall.cdrom.com,
        cvs-sys@freefall.cdrom.com
In-Reply-To: <199507020733.AAA15991@gndrsh.aac.dev.com> from "Rodney W. Grimes" at Jul 2, 95 00:33:07 am
X-Mailer: ELM [version 2.4 PL23]
Content-Type: text
Content-Length: 1135      
Sender: commit-owner@FreeBSD.org
Precedence: bulk

> 
> > 
> > joerg       95/07/01 12:09:41
> > 
> >   Modified:    sys/netinet  ip_output.c
> >   Log:
> >   I saw a very low-key commit message on the netbsd mailing lists and
> >   figured out what the problem was..  Anyway, I rate it as "highly
> >   serious".
> 
> That is ``where'' it came from, there should be an annotation about
> ``what'' it changed, and normally ``why'', we should not try to hide
> holes that crash systems from our uses, they need to know about them.
> 
> >   Submitted by:	peter@haywire.DIALix.COM (Peter Wemm)
> > 
> 

Seems a program such as the following can cause a crash with a NULL ptr
dereference:


	main()
	{
		int s;
		s = socket(AF_INET, SOCK_STREAM, 0);
		setsockopt(s, IPPROTO_IP, IP_TOS, NULL, 0);
	}

For some of the new IP options in net/3, the NULL mbuf ptr is not checked for
before it is dereferenced.
-- 
------------------------------------------+-----------------------------------
Mailed using ELM on FreeBSD               |                    Karl Strickland
PGP 2.3a Public Key Available.            | Internet: karl@bagpuss.demon.co.uk
                                          |