From owner-freebsd-bugs  Thu Oct  4 13:10:15 2001
Delivered-To: freebsd-bugs@hub.freebsd.org
Received: from freefall.freebsd.org (freefall.FreeBSD.org [216.136.204.21])
	by hub.freebsd.org (Postfix) with ESMTP id F086C37B409
	for <freebsd-bugs@hub.freebsd.org>; Thu,  4 Oct 2001 13:10:00 -0700 (PDT)
Received: (from gnats@localhost)
	by freefall.freebsd.org (8.11.4/8.11.4) id f94KA0o61312;
	Thu, 4 Oct 2001 13:10:00 -0700 (PDT)
	(envelope-from gnats)
Received: from freefall.freebsd.org (freefall.FreeBSD.org [216.136.204.21])
	by hub.freebsd.org (Postfix) with ESMTP id 2BDBC37B40C
	for <freebsd-gnats-submit@FreeBSD.org>; Thu,  4 Oct 2001 13:02:29 -0700 (PDT)
Received: (from nobody@localhost)
	by freefall.freebsd.org (8.11.4/8.11.4) id f94K2Tf57302;
	Thu, 4 Oct 2001 13:02:29 -0700 (PDT)
	(envelope-from nobody)
Message-Id: <200110042002.f94K2Tf57302@freefall.freebsd.org>
Date: Thu, 4 Oct 2001 13:02:29 -0700 (PDT)
From: Paul Herman <pherman@frenchfries.net>
To: freebsd-gnats-submit@FreeBSD.org
X-Send-Pr-Version: www-1.0
Subject: bin/31045: routed dumps core
Sender: owner-freebsd-bugs@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-bugs.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-bugs>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-bugs>
X-Loop: FreeBSD.org


>Number:         31045
>Category:       bin
>Synopsis:       routed dumps core
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    freebsd-bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Thu Oct 04 13:10:00 PDT 2001
>Closed-Date:
>Last-Modified:
>Originator:     Paul Herman
>Release:        FreeBSD 4.4-RELEASE alpha
>Organization:
>Environment:
FreeBSD arthur.sc.omation.com 4.4-RELEASE FreeBSD 4.4-RELEASE #0:
Wed Sep 19 17:24:50 PDT 2001 pherman@arthur.sc.omation.com:/usr/obj/usr/src/sys/
arthur  alpha
>Description:
        my routed dumps core when I do an rtquery on it's xl1
        interface.  My /etc/gateways:
          if=xl1 no_rip no_rdisc
          if=xl0 pm_rdisc

        routed is started as "routed -s" to force it to act like a 
        gateway.

        Here's the trace:

12:30:41{{ttyp0}root@arthur}/sbin//> gdb /sbin/routed /routed.core
GNU gdb 4.18
Copyright 1998 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you 
are
welcome to change it and/or distribute copies of it under certain conditions.
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB.  Type "show warranty" for details.
This GDB was configured as "alpha-unknown-freebsd"...
Core was generated by `routed'.
Program terminated with signal 11, Segmentation fault.
#0  0x1200088bc in supply (dst=0x120079b40, ifp=0x0, type=OUT_QUERY, flash=0,
    vers=2, passwd_ok=0) at /usr/src/sbin/routed/output.c:767
767             if (supplier && (def_metric = ifp->int_d_metric) != 0) {
(gdb) bt
#0  0x1200088bc in supply (dst=0x120079b40, ifp=0x0, type=OUT_QUERY, flash=0,
    vers=2, passwd_ok=0) at /usr/src/sbin/routed/output.c:767
(gdb) print ifp
$1 = (struct interface *) 0x0
(gdb) print *rt
$2 = {rt_nodes = {{rn_mklist = 0x0, rn_p = 0x0, rn_b = 0, rn_bmask = 0 '\000',
      rn_flags = 0 '\000', rn_u = {rn_leaf = {rn_Key = 0x0, rn_Mask = 0x0,
          rn_Dupedkey = 0x0}, rn_node = {rn_Off = 0, rn_L = 0x0,
          rn_R = 0x0}}}, {rn_mklist = 0x0, rn_p = 0x0, rn_b = 0,
      rn_bmask = 0 '\000', rn_flags = 0 '\000', rn_u = {rn_leaf = {
          rn_Key = 0x0, rn_Mask = 0x0, rn_Dupedkey = 0x0}, rn_node = {
          rn_Off = 0, rn_L = 0x0, rn_R = 0x0}}}}, rt_state = 0, rt_dst_sock = {
    sin_len = 0 '\000', sin_family = 0 '\000', sin_port = 0, sin_addr = {
      s_addr = 0}, sin_zero = "\000\000\000\000\000\000\000"}, rt_mask = 0,
  rt_spares = {{rts_ifp = 0x0, rts_gate = 0, rts_router = 0,
      rts_metric = 0 '\000', rts_tag = 0, rts_time = 0, rts_de_ag = 0}, {
      rts_ifp = 0x0, rts_gate = 0, rts_router = 0, rts_metric = 0 '\000',
      rts_tag = 0, rts_time = 0, rts_de_ag = 0}, {rts_ifp = 0x0, rts_gate = 0,
      rts_router = 0, rts_metric = 0 '\000', rts_tag = 0, rts_time = 0,
      rts_de_ag = 0}, {rts_ifp = 0x0, rts_gate = 0, rts_router = 0,
      rts_metric = 0 '\000', rts_tag = 0, rts_time = 0, rts_de_ag = 0}},
  rt_seqno = 0, rt_poison_metric = 0 '\000', rt_poison_time = 0}

Seems like "rtfind(dst->sin_addr.s_addr)" fails in the beginning of
supply() in output.c, and ifp is assigned a NULL pointer.

>How-To-Repeat:
        Do same setup as described at the beginning of "Description:"
        and do an rtquery from an external host.

>Fix:
        I suppose have supply() do some bounds checking and then fail
        accordingly, but I don't even know what supply() does, so
        wouldn't know how to do that.

        Other configuration info available upon request.
>Release-Note:
>Audit-Trail:
>Unformatted:

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-bugs" in the body of the message