Date: Mon, 7 Feb 2000 15:16:05 +0000 (GMT) From: dwmalone@maths.tcd.ie To: FreeBSD-gnats-submit@freebsd.org, ru@freebsd.org, ache@freebsd.org, bde@freebsd.org Subject: kern/16564: SLIOCSUNIT is broken and can cause panic. Message-ID: <200002071516.aa82012@walton.maths.tcd.ie>
next in thread | raw e-mail | index | archive | help
>Number: 16564 >Category: kern >Synopsis: SLIOCSUNIT is broken and can cause panic. >Confidential: no >Severity: non-critical >Priority: medium >Responsible: freebsd-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: sw-bug >Submitter-Id: current-users >Arrival-Date: Mon Feb 7 07:20:00 PST 2000 >Closed-Date: >Last-Modified: >Originator: David Malone >Release: FreeBSD 4.0-CURRENT i386 >Organization: School of Mathematics, Trinity College, Dublin 2, Ireland. >Environment: 4.0 as of the last few days, but I suspect the problem goes back a long way. >Description: The slip SLIOCSUNIT ioctl is supposed to allow you to decide what slip interface you are configuring and attaching to a tty, however it does some slightly strange things (see if_sl.c line 375): 1) Search for desired slip unit. 2) Swap the contents of original slip unit's softc and desired slip unit's softc. 3) Point the tty at the desired softc. The main problem is the sotfc for slip contains pointers which point to other bits of the softc (sc.sc_comp.last_cs, sc.sc_comp.tstate[n].cs_next and sc.sc_comp.rstate[n].cs_next), so copying the whole softc to a different location is incorrect. I'm not actually convinced that swapping the softc's is the correct action either, but I can't find any documentation for SLIOCSUNIT ioctl, so I can't be certain. Looking through /usr/src, calls to SLIOCSUNIT seem to be directly after switching to the tty to SLIPDISC, which means the swap is intended to leave the desired softc as if it had just been opened and leave the original softc in an unused state. >How-To-Repeat: Configure a kernel with two slip devices, then: slattach -a -c -h -S 1 -s 57600 /dev/ttyd0 ifconfig sl0 inet 10.0.1.1 10.0.1.4 netmask 255.255.255.0 telnet 10.0.1.4 You'll need something at the other end of the slip connection. Pings work fine 'cos they are not compressed - any tcp connection will result in a null pointer dereference at slcompress.c line 197. >Fix: Various options: 1) Teach SLIOCSUNIT how to swap the contents of sc.sc_comp, which seems a bit ugly. The code already swaps the sc.sc_if back again, but swapping sc.sc_comp would not be as straight forward, as the one that you want may not be initialised. 2) Make sc.sc_comp a pointer instead of an included structure. Seems straight forward, but a bit of a workaround rather than a fix. 3) Make SLIOCSUNIT do the equivelent of a slclose(original unit) and then a slopen(desired unit), so you are sure everything is correctly initialised. This is a relatively clean option but means you no longer swap the contents of the softc's. It would also remove some of the workaround code added for sc.sc_if. If someone can offer me guideance on which of these is the correct fix I can code and test it. >Release-Note: >Audit-Trail: >Unformatted: To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-bugs" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200002071516.aa82012>