From owner-freebsd-bugs Mon Jul 30 17:20: 9 2001 Delivered-To: freebsd-bugs@hub.freebsd.org Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21]) by hub.freebsd.org (Postfix) with ESMTP id 8854237B405 for ; Mon, 30 Jul 2001 17:20:00 -0700 (PDT) (envelope-from gnats@FreeBSD.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.11.4/8.11.4) id f6V0K0r02551; Mon, 30 Jul 2001 17:20:00 -0700 (PDT) (envelope-from gnats) Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21]) by hub.freebsd.org (Postfix) with ESMTP id 0A9EC37B401 for ; Mon, 30 Jul 2001 17:14:04 -0700 (PDT) (envelope-from nobody@FreeBSD.org) Received: (from nobody@localhost) by freefall.freebsd.org (8.11.4/8.11.4) id f6V0E4m01931; Mon, 30 Jul 2001 17:14:04 -0700 (PDT) (envelope-from nobody) Message-Id: <200107310014.f6V0E4m01931@freefall.freebsd.org> Date: Mon, 30 Jul 2001 17:14:04 -0700 (PDT) From: Richard Andrades To: freebsd-gnats-submit@FreeBSD.org X-Send-Pr-Version: www-1.0 Subject: kern/29337: If no IP addresses are configured, received ping will crash the kernel. Sender: owner-freebsd-bugs@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org >Number: 29337 >Category: kern >Synopsis: If no IP addresses are configured, received ping will crash the kernel. >Confidential: no >Severity: serious >Priority: low >Responsible: freebsd-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: sw-bug >Submitter-Id: current-users >Arrival-Date: Mon Jul 30 17:20:00 PDT 2001 >Closed-Date: >Last-Modified: >Originator: Richard Andrades >Release: RELENG_4_1_1_RELEASE (Revision 1.1.2.2) >Organization: Xebeo Communications, Inc. >Environment: FreeBSD X2.xebeo.com 4.1.1 FreeBSD 4.1.1 #11: Tue Jul 17 14:47:29 EDT 2001 richard@X2.xebeo.com:/net/scratch/richard/kern/kernel/sys/compile/GENERIC i386 >Description: If a FreeBSD system does not have ANY IP addresses configured on any interface, and if it receives a unicast ping packet, it will crash trying to dereference a NULL pointer. >How-To-Repeat: This problem requires some work to recreate. My kernel is compiled to disable IPv6 support. I was unable to reproduce it on a regular kernel with IPv6 support. Take a FreeBSD system with NO IP addresses on ANY interface (I could not do this if IPv6 was enabled). Set the loopback interface UP but do not assign it an IP address. Add the folloing route: route add 127.0.0.1 -interface lo0 Ping the address. ping 127.0.0.1 The kernel will crash within icmp_reflect() >Fix: Note: I checked the latest version and this bug has not yet been fixed. FILE: src/sys/netinet/ip_icmp.c Function: icmp_reflect() -----Begin code fragment----------------------- /* * The following happens if the packet was not addressed to us, * and was received on an interface with no IP address. */ if (ia == (struct in_ifaddr *)0) ia = in_ifaddrhead.tqh_first; /* Begin BUG FIX */ if (ia == (struct in_ifaddr *)0){ m_freem(m); goto done; /* Abandon - or we will crash */ } /* End BUG FIX */ t = IA_SIN(ia)->sin_addr; --------------End code fragment----------------- Explanation: ************ In the function ip_input() in the file src/sys/netinet/ip_input.c, there is the following code fragment: -------------------------------------- /* * Check our list of addresses, to see if the packet is for us. * If we don't have any addresses, assume any unicast packet * we receive might be for us (and let the upper layers deal * with it). */ if (TAILQ_EMPTY(&in_ifaddrhead) && (m->m_flags & (M_MCAST|M_BCAST)) == 0) goto ours; --------------------------------------- So if the system does not have any IP addresses configured and if a ping packet arrives with a unicast destination address, the above code fragment will hand if off to icmp_input() which will pass it on the icmp_reflect() which will crash trying to deference the in_ifaddrhead pointer which is NULL. >Release-Note: >Audit-Trail: >Unformatted: To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-bugs" in the body of the message