Date: Mon, 15 Apr 1996 04:40:47 +0300 (EET DST) From: Heikki Suonsivu <hsu@clinet.fi> To: FreeBSD-gnats-submit@freebsd.org Subject: kern/1140: arpresolve does a null pointer dereference through rt0 Message-ID: <199604150140.EAA26486@katiska.clinet.fi> Resent-Message-ID: <199604150150.SAA03986@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
>Number: 1140
>Category: kern
>Synopsis: arpresolve does a null pointer dereference through rt0
>Confidential: no
>Severity: serious
>Priority: high
>Responsible: freebsd-bugs
>State: open
>Class: sw-bug
>Submitter-Id: current-users
>Arrival-Date: Sun Apr 14 18:50:02 PDT 1996
>Last-Modified:
>Originator: Heikki Suonsivu
>Organization:
Clinet, Espoo, Finland
>Release: FreeBSD 2.2-CURRENT i386
>Environment:
Apr 15 03:56:37 otaniemi3-gw /kernel.rikki: NETARNET
Apr 15 03:56:38 otaniemi3-gw /kernel.rikki: CPU: Pentium (99.46-MHz 586-class CPU)
Apr 15 03:56:38 otaniemi3-gw /kernel.rikki: Origin = "GenuineIntel" Id = 0x525 Stepping=5
Apr 15 03:56:38 otaniemi3-gw /kernel.rikki: Features=0x1bf<FPU,VME,DE,PSE,TSC,MSR,MCE,CX8>
Apr 15 03:56:38 otaniemi3-gw /kernel.rikki: real memory = 16777216 (16384K bytes)
Apr 15 03:56:38 otaniemi3-gw /kernel.rikki: avail memory = 14446592 (14108K bytes)
Apr 15 03:56:38 otaniemi3-gw /kernel.rikki: Probing for devices on PCI bus 0:
Apr 15 03:56:38 otaniemi3-gw /kernel.rikki: chip0 <generic PCI bridge (vendor=1039 device=5511 subclass=0)> rev 0 on pci0:0
Apr 15 03:56:38 otaniemi3-gw /kernel.rikki: chip1 <SiS 85c503> rev 1 on pci0:1
Apr 15 03:56:38 otaniemi3-gw /kernel.rikki: pci0:1: Silicon Integrated Systems, device=0x5513, class=storage (ide) int a irq ?? [no driver assigned]
Apr 15 03:56:38 otaniemi3-gw /kernel.rikki: chip2 <DEC 21050 PCI-PCI bridge> rev 2 on pci0:9
Apr 15 03:56:39 otaniemi3-gw /kernel.rikki: chip3 <DEC 21050 PCI-PCI bridge> rev 2 on pci0:10
Apr 15 03:56:39 otaniemi3-gw /kernel.rikki: chip4 <DEC 21050 PCI-PCI bridge> rev 1 on pci0:11
Apr 15 03:56:39 otaniemi3-gw /kernel.rikki: chip5 <DEC 21050 PCI-PCI bridge> rev 2 on pci0:12
Apr 15 03:56:39 otaniemi3-gw /kernel.rikki: Probing for devices on PCI bus 1:
Apr 15 03:56:39 otaniemi3-gw /kernel.rikki: de0 <Digital DC21040 Ethernet> rev 35 int a irq 7 on pci1:4
Apr 15 03:56:39 otaniemi3-gw /kernel.rikki: pcibus_ihandler_attach: counting pci irq7's as clk0 irqs
Apr 15 03:56:39 otaniemi3-gw /kernel.rikki: de0: DC21040 [10Mb/s] pass 2.3 Ethernet address 00:00:c0:20:18:c0
Apr 15 03:56:39 otaniemi3-gw /kernel.rikki: de0: enabling Thinwire/AUI port
Apr 15 03:56:40 otaniemi3-gw /kernel.rikki: de1 <Digital DC21040 Ethernet> rev 35 int a irq 11 on pci1:5
Apr 15 03:56:40 otaniemi3-gw /kernel.rikki: pcibus_ihandler_attach: counting pci irq11's as clk0 irqs
Apr 15 03:56:40 otaniemi3-gw /kernel.rikki: de1: DC21040 [10Mb/s] pass 2.3 Ethernet address 00:00:c0:d3:10:c0
Apr 15 03:56:40 otaniemi3-gw /kernel.rikki: de1: enabling Thinwire/AUI port
Apr 15 03:56:40 otaniemi3-gw /kernel.rikki: Probing for devices on PCI bus 2:
Apr 15 03:56:40 otaniemi3-gw /kernel.rikki: de2 <Digital DC21040 Ethernet> rev 35 int a irq 9 on pci2:4
Apr 15 03:56:41 otaniemi3-gw /kernel.rikki: pcibus_ihandler_attach: counting pci irq9's as clk0 irqs
Apr 15 03:56:41 otaniemi3-gw /kernel.rikki: de2: DC21040 [10Mb/s] pass 2.3 Ethernet address 00:00:c0:01:17:c0
Apr 15 03:56:41 otaniemi3-gw /kernel.rikki: de2: enabling Thinwire/AUI port
Apr 15 03:56:41 otaniemi3-gw /kernel.rikki: de3 <Digital DC21040 Ethernet> rev 35 int a irq 7 on pci2:5
Apr 15 03:56:41 otaniemi3-gw /kernel.rikki: pcibus_ihandler_attach: counting pci irq7's as clk0 irqs
Apr 15 03:56:41 otaniemi3-gw /kernel.rikki: de3: DC21040 [10Mb/s] pass 2.3 Ethernet address 00:00:c0:15:12:c0
Apr 15 03:56:41 otaniemi3-gw /kernel.rikki: de3: enabling Thinwire/AUI port
Apr 15 03:56:41 otaniemi3-gw /kernel.rikki: Probing for devices on PCI bus 3:
Apr 15 03:56:41 otaniemi3-gw /kernel.rikki: de4 <Digital DC21040 Ethernet> rev 35 int a irq 12 on pci3:4
Apr 15 03:56:42 otaniemi3-gw /kernel.rikki: pcibus_ihandler_attach: counting pci irq12's as clk0 irqs
Apr 15 03:56:42 otaniemi3-gw /kernel.rikki: de4: ZNYX ZX314 DC21040 [10Mb/s] pass 2.3 Ethernet address 00:c0:95:f0:01:4c
Apr 15 03:56:42 otaniemi3-gw /kernel.rikki: de4: enabling 10baseT/UTP port
Apr 15 03:56:42 otaniemi3-gw /kernel.rikki: de5 <Digital DC21040 Ethernet> rev 35 int a irq 9 on pci3:5
Apr 15 03:56:42 otaniemi3-gw /kernel.rikki: de5: ZNYX ZX314 DC21040 [10Mb/s] pass 2.3 Ethernet address 00:c0:95:f0:01:4d
Apr 15 03:56:42 otaniemi3-gw /kernel.rikki: de5: enabling 10baseT/UTP port
Apr 15 03:56:42 otaniemi3-gw /kernel.rikki: de6 <Digital DC21040 Ethernet> rev 35 int a irq 7 on pci3:6
Apr 15 03:56:42 otaniemi3-gw /kernel.rikki: de6: ZNYX ZX314 DC21040 [10Mb/s] pass 2.3 Ethernet address 00:c0:95:f0:01:4e
Apr 15 03:56:42 otaniemi3-gw /kernel.rikki: de6: enabling 10baseT/UTP port
Apr 15 03:56:43 otaniemi3-gw /kernel.rikki: de7 <Digital DC21040 Ethernet> rev 35 int a irq 11 on pci3:7
Apr 15 03:56:43 otaniemi3-gw /kernel.rikki: de7: ZNYX ZX314 DC21040 [10Mb/s] pass 2.3 Ethernet address 00:c0:95:f0:01:4f
Apr 15 03:56:43 otaniemi3-gw /kernel.rikki: de7: enabling 10baseT/UTP port
Apr 15 03:56:43 otaniemi3-gw /kernel.rikki: Probing for devices on PCI bus 4:
Apr 15 03:56:43 otaniemi3-gw /kernel.rikki: de8 <Digital DC21040 Ethernet> rev 35 int a irq 11 on pci4:4
Apr 15 03:56:43 otaniemi3-gw /kernel.rikki: pcibus_ihandler_attach: counting pci irq11's as clk0 irqs
Apr 15 03:56:43 otaniemi3-gw /kernel.rikki: de8: DC21040 [10Mb/s] pass 2.3 Ethernet address 00:00:c0:59:17:c0
Apr 15 03:56:43 otaniemi3-gw /kernel.rikki: de8: enabling Thinwire/AUI port
Apr 15 03:56:43 otaniemi3-gw /kernel.rikki: de9 <Digital DC21040 Ethernet> rev 35 int a irq 12 on pci4:5
Apr 15 03:56:43 otaniemi3-gw /kernel.rikki: pcibus_ihandler_attach: counting pci irq12's as clk0 irqs
Apr 15 03:56:43 otaniemi3-gw /kernel.rikki: de9: DC21040 [10Mb/s] pass 2.3 Ethernet address 00:00:c0:01:13:c0
Apr 15 03:56:43 otaniemi3-gw /kernel.rikki: de9: enabling Thinwire/AUI port
Apr 15 03:56:44 otaniemi3-gw /kernel.rikki: Probing for devices on the ISA bus:
Apr 15 03:56:44 otaniemi3-gw /kernel.rikki: vt0 at 0x60-0x6f irq 1 on motherboard
Apr 15 03:56:44 otaniemi3-gw /kernel.rikki: vt0: generic, 80 col, color, 8 scr, mf2-kbd, [R3.20-b24]
Apr 15 03:56:45 otaniemi3-gw /kernel.rikki: ed0 not found at 0x280
Apr 15 03:56:45 otaniemi3-gw /kernel.rikki: ed3 not found at 0x240
Apr 15 03:56:45 otaniemi3-gw /kernel.rikki: ed4 not found at 0x340
Apr 15 03:56:46 otaniemi3-gw /kernel.rikki: ed5 not found at 0x220
Apr 15 03:56:46 otaniemi3-gw /kernel.rikki: sio0 at 0x3f8-0x3ff irq 4 on isa
Apr 15 03:56:46 otaniemi3-gw /kernel.rikki: sio0: type 16550A
Apr 15 03:56:47 otaniemi3-gw /kernel.rikki: sio0 not probed due to I/O address conflict with sio0 at 0x3f8
Apr 15 03:56:47 otaniemi3-gw /kernel.rikki: sio1 at 0x2f8-0x2ff irq 3 on isa
Apr 15 03:56:47 otaniemi3-gw /kernel.rikki: sio1: type 16550A
Apr 15 03:56:47 otaniemi3-gw /kernel.rikki: sio1 not probed due to I/O address conflict with sio1 at 0x2f8
Apr 15 03:56:48 otaniemi3-gw /kernel.rikki: sio2 not found at 0x2a0
Apr 15 03:56:48 otaniemi3-gw /kernel.rikki: sio2 not found at 0x2a0
Apr 15 03:56:48 otaniemi3-gw /kernel.rikki: sio3 not found at 0x2a8
Apr 15 03:56:48 otaniemi3-gw /kernel.rikki: sio3 not found at 0x2a8
Apr 15 03:56:48 otaniemi3-gw /kernel.rikki: sio4 not found at 0x2b0
Apr 15 03:56:48 otaniemi3-gw /kernel.rikki: sio4 not found at 0x2b0
Apr 15 03:56:48 otaniemi3-gw /kernel.rikki: sio5 not found at 0x2b8
Apr 15 03:56:49 otaniemi3-gw /kernel.rikki: sio5 not found at 0x2b8
Apr 15 03:56:49 otaniemi3-gw /kernel.rikki: cy0 not found
Apr 15 03:56:49 otaniemi3-gw /kernel.rikki: cy1 not found
Apr 15 03:56:49 otaniemi3-gw /kernel.rikki: bt0 not found at 0x330
Apr 15 03:56:49 otaniemi3-gw /kernel.rikki: aha0 not found at 0x330
Apr 15 03:56:49 otaniemi3-gw /kernel.rikki: wdc0 at 0x1f0-0x1f7 irq 14 on isa
Apr 15 03:56:49 otaniemi3-gw /kernel.rikki: wdc0: unit 0 (wd0): <QUANTUM TRB850A>
Apr 15 03:56:49 otaniemi3-gw /kernel.rikki: wd0: 810MB (1660176 sectors), 1647 cyls, 16 heads, 63 S/T, 512 B/S
Apr 15 03:56:49 otaniemi3-gw /kernel.rikki: fdc0 at 0x3f0-0x3f7 irq 6 drq 2 on isa
Apr 15 03:56:50 otaniemi3-gw /kernel.rikki: fdc0: NEC 72065B
Apr 15 03:56:50 otaniemi3-gw /kernel.rikki: fd0: 1.44MB 3.5in
Apr 15 03:56:50 otaniemi3-gw /kernel.rikki: arc0 at 0x300-0x30f irq 10 maddr 0xd0000 msize 16384 on isa
Apr 15 03:56:50 otaniemi3-gw /kernel.rikki: arc0: 256K RAM, 4 ports, rev 0, EIA-232 or V.35 interface.
Apr 15 03:56:50 otaniemi3-gw /kernel.rikki: ar0: Adapter 0, port 0.
Apr 15 03:56:50 otaniemi3-gw /kernel.rikki: ar1: Adapter 0, port 1.
Apr 15 03:56:50 otaniemi3-gw /kernel.rikki: ar2: Adapter 0, port 2.
Apr 15 03:56:50 otaniemi3-gw /kernel.rikki: ar3: Adapter 0, port 3.
Apr 15 03:56:50 otaniemi3-gw /kernel.rikki: npx0 on motherboard
Apr 15 03:56:51 otaniemi3-gw /kernel.rikki: npx0: INT 16 interface
Apr 15 03:56:51 otaniemi3-gw /kernel.rikki: new masks: bio c0004040, tty c0031e9a, net c0031e9a
Apr 15 03:56:42 otaniemi3-gw lpd[91]: restarted
Apr 15 03:56:48 otaniemi3-gw gated[139]: parse: gated.conf:24 gateway not a host address on an attached network: '194.100.43.94'
Apr 15 03:56:48 otaniemi3-gw gated[139]: Commence routing updates
>Description:
Partially this is theory, the crash dump isn't all clear about
this. It seems that when gated starts up kernel ends up doing a
null pointer derefence through NULL rt0 (I don't know how that
ended up there in the first place).
Current directory is /usr/local/ftp/pub/FreeBSD/crashdumps/otaniemi3/
GDB is free software and you are welcome to distribute copies of it
under certain conditions; type "show copying" to see the conditions.
There is absolutely no warranty for GDB; type "show warranty" for details.
GDB 4.13 (i386-unknown-freebsd),
Copyright 1994 Free Software Foundation, Inc...
IdlePTD 24a000
current pcb at 2097cc
panic: page fault
#0 boot (howto=256) at ../../i386/i386/machdep.c:940
(kgdb) bt
#0 boot (howto=256) at ../../i386/i386/machdep.c:940
#1 0xf0116c46 in panic (fmt=0xf01c5a0c "page fault")
at ../../kern/subr_prf.c:133
#2 0xf01c6566 in trap_fatal (frame=0xefbffd18) at ../../i386/i386/trap.c:740
#3 0xf01c6058 in trap_pfault (frame=0xefbffd18, usermode=0)
at ../../i386/i386/trap.c:651
#4 0xf01c5d3b in trap (frame={tf_es = 16, tf_ds = 16, tf_edi = -272630352,
tf_esi = -258260800, tf_ebp = -272630420, tf_isp = -272630464,
tf_ebx = -257822720, tf_edx = -257446016, tf_ecx = 0,
tf_eax = -257449932, tf_trapno = 12, tf_err = 0, tf_eip = -267067890,
tf_cs = 8, tf_eflags = 66178, tf_esp = -257449932, tf_ss = -258265948})
at ../../i386/i386/trap.c:319
#5 0xf01bbd01 in calltrap ()
#6 0xf0140d02 in ether_output (ifp=0xf09b2c00, m0=0xf0a7af80, dst=0xf0a7a030,
rt0=0x0) at ../../net/if_ethersubr.c:147
#7 0xf0155dbd in ip_output (m0=0xf0a7af80, opt=0x0, ro=0xf0a7a02c, flags=48,
imo=0xf0a7ad00) at ../../netinet/ip_output.c:353
#8 0xf0157124 in rip_output (m=0xf0a7af80, so=0xf0a7b900, dst=2113955010)
at ../../netinet/raw_ip.c:184
#9 0xf015752f in rip_usrreq (so=0xf0a7b900, req=9, m=0xf0a7af80,
nam=0xf0a70500, control=0x0) at ../../netinet/raw_ip.c:406
#10 0xf0124cb6 in sosend (so=0xf0a7b900, addr=0xf0a70500, uio=0xefbffee8,
top=0xf0a7af80, control=0x0, flags=4) at ../../kern/uipc_socket.c:471
#11 0xf01273e3 in sendit (p=0xf0a6e500, s=11, mp=0xefbfff2c, flags=4,
retsize=0xefbfff84) at ../../kern/uipc_syscalls.c:467
#12 0xf01274c0 in sendto (p=0xf0a6e500, uap=0xefbfff94, retval=0xefbfff84)
at ../../kern/uipc_syscalls.c:518
#13 0xf01c6871 in syscall (frame={tf_es = 39, tf_ds = 39, tf_edi = 0,
tf_esi = 5, tf_ebp = -272640176, tf_isp = -272629788,
tf_ebx = 536870912, tf_edx = 0, tf_ecx = 886080, tf_eax = 133,
tf_trapno = 12, tf_err = 7, tf_eip = 135189125, tf_cs = 31,
tf_eflags = 662, tf_esp = -272640236, tf_ss = 39})
at ../../i386/i386/trap.c:904
#14 0xf01bbd55 in Xsyscall ()
#15 0x64628 in ?? ()
#16 0x7c3cf in ?? ()
#17 0x7844d in ?? ()
#18 0x62621 in ?? ()
#19 0x79601 in ?? ()
#20 0x739b3 in ?? ()
#21 0x74531 in ?? ()
#22 0x63ee0 in ?? ()
#23 0x2a15c in ?? ()
#24 0x2f681 in ?? ()
#25 0x10d3 in ?? ()
(kgdb) up
#1 0xf0116c46 in panic (fmt=0xf01c5a0c "page fault")
at ../../kern/subr_prf.c:133
(kgdb)
#2 0xf01c6566 in trap_fatal (frame=0xefbffd18) at ../../i386/i386/trap.c:740
(kgdb)
#3 0xf01c6058 in trap_pfault (frame=0xefbffd18, usermode=0)
at ../../i386/i386/trap.c:651
(kgdb)
#4 0xf01c5d3b in trap (frame={tf_es = 16, tf_ds = 16, tf_edi = -272630352,
tf_esi = -258260800, tf_ebp = -272630420, tf_isp = -272630464,
tf_ebx = -257822720, tf_edx = -257446016, tf_ecx = 0,
tf_eax = -257449932, tf_trapno = 12, tf_err = 0, tf_eip = -267067890,
tf_cs = 8, tf_eflags = 66178, tf_esp = -257449932, tf_ss = -258265948})
at ../../i386/i386/trap.c:319
(kgdb)
#5 0xf01bbd01 in calltrap ()
(kgdb)
#6 0xf0140d02 in ether_output (ifp=0xf09b2c00, m0=0xf0a7af80, dst=0xf0a7a030,
rt0=0x0) at ../../net/if_ethersubr.c:147
(kgdb) print ac
$1 = (struct arpcom *) 0xf09b2c00
(kgdb) print *ac
$2 = {ac_if = {if_softc = 0xf09b2c00, if_name = 0xf018f1a5 "de",
if_next = 0xf09b2800, if_addrlist = 0xf06ae700, if_pcount = 0,
if_bpf = 0x0, if_index = 1, if_unit = 0, if_timer = 0, if_flags = -14269,
if_recvquota = 0 '\000', if_sendquota = 0 '\000', if_ipending = 0 '\000',
if_data = {ifi_type = 6 '\006', ifi_physical = 0 '\000',
ifi_addrlen = 6 '\006', ifi_hdrlen = 14 '\016', ifi_mtu = 1500,
ifi_metric = 0, ifi_baudrate = 0, ifi_ipackets = 22, ifi_ierrors = 0,
ifi_opackets = 17, ifi_oerrors = 0, ifi_collisions = 8,
ifi_ibytes = 3427, ifi_obytes = 1200, ifi_imcasts = 11, ifi_omcasts = 5,
ifi_iqdrops = 0, ifi_noproto = 0, ifi_lastchange = {tv_sec = 829529816,
tv_usec = 160000}}, if_output = 0xf0140bdc <ether_output>,
if_start = 0xf018dbd0 <tulip_start>, if_done = 0,
if_ioctl = 0xf018ec10 <tulip_ioctl>, if_watchdog = 0, if_poll_recv = 0,
if_poll_xmit = 0, if_poll_intren = 0, if_poll_slowinput = 0, if_snd = {
ifq_head = 0x0, ifq_tail = 0x0, ifq_len = 0, ifq_maxlen = 50,
ifq_drops = 0}, if_poll_slowq = 0x0}, ac_enaddr = "\000\000À \030À",
ac_multiaddrs = 0xf0a574a0, ac_multicnt = 3}
(kgdb) print rt
$3 = (struct rtentry *) 0xf0a1f000
(kgdb) print *rt
$4 = {rt_nodes = {{rn_mklist = 0x0, rn_p = 0xf0a24218, rn_b = -1,
rn_bmask = 0 '\000', rn_flags = 4 '\004', rn_u = {rn_leaf = {
rn_Key = 0xf0a1dd40 "\020\002", rn_Mask = 0x0, rn_Dupedkey = 0x0},
rn_node = {rn_Off = -257827520, rn_L = 0x0, rn_R = 0x0}}}, {
rn_mklist = 0xf09b1ef0, rn_p = 0xf0a7b518, rn_b = 57, rn_bmask = 64 '@',
rn_flags = 4 '\004', rn_u = {rn_leaf = {
rn_Key = 0x7 "4\022U\211åj\002\235\214Ø\216à\216è\203}\004",
rn_Mask = 0xf0a7b018 "", rn_Dupedkey = 0xf0a24218}, rn_node = {
rn_Off = 7, rn_L = 0xf0a7b018, rn_R = 0xf0a24218}}}},
rt_gateway = 0xf0a1dd50, rt_filler = 0, rt_refcnt = 1, rt_flags = 132101,
rt_ifp = 0xf09b2c00, rt_ifa = 0xf0a22700, rt_genmask = 0x0,
rt_llinfo = 0xf09b40c0 "à@\233ð\200t¥ð", rt_rmx = {rmx_locks = 0,
rmx_mtu = 1500, rmx_hopcount = 0, rmx_expire = 829529816,
rmx_recvpipe = 16384, rmx_sendpipe = 16384, rmx_ssthresh = 0, rmx_rtt = 0,
rmx_rttvar = 0, rmx_pksent = 0, rmx_filler = {0, 0, 0, 0}},
rt_gwroute = 0x0, rt_output = 0, rt_parent = 0x0, rt_filler2 = 0x0}
(kgdb) set radix 16
Input and output radices now set to decimal 16, hex 10, octal 20.
(kgdb) print ac
$5 = (struct arpcom *) 0xf09b2c00
(kgdb) print rt
$6 = (struct rtentry *) 0xf0a1f000
(kgdb) print *ac
$7 = {ac_if = {if_softc = 0xf09b2c00, if_name = 0xf018f1a5 "de",
if_next = 0xf09b2800, if_addrlist = 0xf06ae700, if_pcount = 0x0,
if_bpf = 0x0, if_index = 0x1, if_unit = 0x0, if_timer = 0x0,
if_flags = 0xc843, if_recvquota = 0x0, if_sendquota = 0x0,
if_ipending = 0x0, if_data = {ifi_type = 0x6, ifi_physical = 0x0,
ifi_addrlen = 0x6, ifi_hdrlen = 0xe, ifi_mtu = 0x5dc, ifi_metric = 0x0,
ifi_baudrate = 0x0, ifi_ipackets = 0x16, ifi_ierrors = 0x0,
ifi_opackets = 0x11, ifi_oerrors = 0x0, ifi_collisions = 0x8,
ifi_ibytes = 0xd63, ifi_obytes = 0x4b0, ifi_imcasts = 0xb,
ifi_omcasts = 0x5, ifi_iqdrops = 0x0, ifi_noproto = 0x0,
ifi_lastchange = {tv_sec = 0x31719ed8, tv_usec = 0x27100}},
if_output = 0xf0140bdc <ether_output>,
if_start = 0xf018dbd0 <tulip_start>, if_done = 0,
if_ioctl = 0xf018ec10 <tulip_ioctl>, if_watchdog = 0, if_poll_recv = 0,
if_poll_xmit = 0, if_poll_intren = 0, if_poll_slowinput = 0, if_snd = {
ifq_head = 0x0, ifq_tail = 0x0, ifq_len = 0x0, ifq_maxlen = 0x32,
ifq_drops = 0x0}, if_poll_slowq = 0x0}, ac_enaddr = "\000\000À \030À",
ac_multiaddrs = 0xf0a574a0, ac_multicnt = 0x3}
(kgdb) print *rc
No symbol "rc" in current context.
(kgdb) print *rt
$8 = {rt_nodes = {{rn_mklist = 0x0, rn_p = 0xf0a24218, rn_b = 0xffff,
rn_bmask = 0x0, rn_flags = 0x4, rn_u = {rn_leaf = {
rn_Key = 0xf0a1dd40 "\020\002", rn_Mask = 0x0, rn_Dupedkey = 0x0},
rn_node = {rn_Off = 0xf0a1dd40, rn_L = 0x0, rn_R = 0x0}}}, {
rn_mklist = 0xf09b1ef0, rn_p = 0xf0a7b518, rn_b = 0x39, rn_bmask = 0x40,
rn_flags = 0x4, rn_u = {rn_leaf = {
rn_Key = 0x7 "4\022U\211åj\002\235\214Ø\216à\216è\203}\004",
rn_Mask = 0xf0a7b018 "", rn_Dupedkey = 0xf0a24218}, rn_node = {
rn_Off = 0x7, rn_L = 0xf0a7b018, rn_R = 0xf0a24218}}}},
rt_gateway = 0xf0a1dd50, rt_filler = 0x0, rt_refcnt = 0x1,
rt_flags = 0x20405, rt_ifp = 0xf09b2c00, rt_ifa = 0xf0a22700,
rt_genmask = 0x0, rt_llinfo = 0xf09b40c0 "à@\233ð\200t¥ð", rt_rmx = {
rmx_locks = 0x0, rmx_mtu = 0x5dc, rmx_hopcount = 0x0,
rmx_expire = 0x31719ed8, rmx_recvpipe = 0x4000, rmx_sendpipe = 0x4000,
rmx_ssthresh = 0x0, rmx_rtt = 0x0, rmx_rttvar = 0x0, rmx_pksent = 0x0,
rmx_filler = {0x0, 0x0, 0x0, 0x0}}, rt_gwroute = 0x0, rt_output = 0,
rt_parent = 0x0, rt_filler2 = 0x0}
(kgdb) print m
$9 = (struct mbuf *) 0xf09b40c0
(kgdb) print *m
$10 = {m_hdr = {mh_next = 0xf09b40e0, mh_nextpkt = 0xf0a57480,
mh_data = 0xf0a1f000 "", mh_len = 0xf0a7af80, mh_type = 0x1,
mh_flags = 0x0}, M_dat = {MH = {MH_pkthdr = {rcvif = 0x0, len = 0x0},
MH_dat = {MH_ext = {ext_buf = 0x0, ext_free = 0, ext_size = 0xf09b40c0},
MH_databuf = "\000\000\000\000\000\000\000\000À@\233ð\000N¢ð", '\000' <repeats 20 times>, "\001\000^\000\000\001\001\000^\000\000\001\000t\233ð\001", '\000' <repeats 15 times>, "\200_¥ð\001\000\000\000\001", '\000' <repeats 11 times>, "\001\000\000\000\000\000\000\000\000\000\000"}},
M_databuf = '\000' <repeats 16 times>, "À@\233ð\000N¢ð", '\000' <repeats 20 times>, "\001\000^\000\000\001\001\000^\000\000\001\000t\233ð\001", '\000' <repeats 15 times>, "\200_¥ð\001\000\000\000\001", '\000' <repeats 11 times>, "\001\000\000\000\000\000\000\000\000\000\000"}}
(kgdb) print dst
$11 = (struct sockaddr *) 0xf0a7a030
(kgdb) print *dst
$12 = {sa_len = 0x10, sa_family = 0x2,
sa_data = "\000\000Âd\000~\000\000\000\000\000\000\000"}
(kgdb) print edst
$13 = "0\000\000\000Âd"
(kgdb) print rt0
$14 = (struct rtentry *) 0x0
Ok, rt0 is NULL, and arpresolve is called with NULL rt0 entry.
As arpresolve blindly dereferences rt0 it causes a panic:
/*
* There is an arptab entry, but no ethernet address
* response yet. Replace the held mbuf with this
* latest one.
*/
if (la->la_hold)
m_freem(la->la_hold);
la->la_hold = m;
if (rt->rt_expire) {
rt->rt_flags &= ~RTF_REJECT;
if (la->la_asked == 0 || rt->rt_expire != time.tv_sec) {
rt->rt_expire = time.tv_sec;
if (la->la_asked++ < arp_maxtries)
arprequest(ac,
&(SIN(rt0->rt_ifa->ifa_addr)->sin_addr.s_addr),
&(SIN(dst)->sin_addr.s_addr),
ac->ac_enaddr);
else {
rt->rt_flags |= RTF_REJECT;
rt->rt_expire += arpt_down;
la->la_asked = 0;
}
}
}
return (0);
In call to arprequest rt0 is dereferences without a check. I do not know
enough about this piece of code to know how it should be changed to avoid
the problem.
Are these arp table modifications being worked on tested with any routing
daemons like routed and gated ? First the kernel started loosing arp table
entries for host routes, now the kernel panics as soon as gated hooks
itself up into multicast and starts installing routes it sees around ?
I have tried this with and without reversing the modification to in_rmx.c
which causes arp table entries to be lost of host routes are installed on
top of them. Without reversing this modification all hosts which have
point-to-point links at same address as their ethernet address (unnumbered
by the cisco terminology I think) will become uncommunicateable due to
loosing the arp table entry, as gated and routed try to install a route for
a host with destination as the same host, which causes arp table entry to
be erased.
I think this problem has been there for at several weeks (I saw this
earlier but had no time to investigate that further then).
>How-To-Repeat:
I do not know how large network would be necessary to recreate this
problem. It might require routers with unnumbered point-to-point
interfaces in the local network, but I am not sure about that.
>Fix:
arpresolve should check its arguments, at least.
>Audit-Trail:
>Unformatted:
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199604150140.EAA26486>