From owner-freebsd-bugs  Sun May 25 07:10:03 1997
Return-Path: <owner-bugs>
Received: (from root@localhost)
          by hub.freebsd.org (8.8.5/8.8.5) id HAA23329
          for bugs-outgoing; Sun, 25 May 1997 07:10:03 -0700 (PDT)
Received: (from gnats@localhost)
          by hub.freebsd.org (8.8.5/8.8.5) id HAA23323;
          Sun, 25 May 1997 07:10:01 -0700 (PDT)
Resent-Date: Sun, 25 May 1997 07:10:01 -0700 (PDT)
Resent-Message-Id: <199705251410.HAA23323@hub.freebsd.org>
Resent-From: gnats (GNATS Management)
Resent-To: freebsd-bugs
Resent-Reply-To: FreeBSD-gnats@FreeBSD.ORG, aagero@aage.priv.no
Received: from aage.priv.no (birk04.studby.uio.no [129.240.214.13])
          by hub.freebsd.org (8.8.5/8.8.5) with ESMTP id HAA23035
          for <FreeBSD-gnats-submit@freebsd.org>; Sun, 25 May 1997 07:00:29 -0700 (PDT)
Received: (from aagero@localhost) by aage.priv.no (8.8.5/sendmail95) id QAA00470; Sun, 25 May 1997 16:00:26 +0200 (CEST)
Message-Id: <199705251400.QAA00470@aage.priv.no>
Date: Sun, 25 May 1997 16:00:26 +0200 (CEST)
From: Åge Røbekk <aagero@aage.priv.no>
Reply-To: aagero@aage.priv.no
To: FreeBSD-gnats-submit@FreeBSD.ORG
X-Send-Pr-Version: 3.2
Subject: kern/3678: bug in IPDIVERT code in -current
Sender: owner-bugs@FreeBSD.ORG
X-Loop: FreeBSD.org
Precedence: bulk


>Number:         3678
>Category:       kern
>Synopsis:       bug in IPDIVERT code in -current
>Confidential:   no
>Severity:       non-critical
>Priority:       medium
>Responsible:    freebsd-bugs
>State:          open
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Sun May 25 07:10:01 PDT 1997
>Last-Modified:
>Originator:     Åge Røbekk
>Organization:
>Release:        FreeBSD 3.0-CURRENT i386
>Environment:

FreeBSD birk04.studby.uio.no 3.0-CURRENT FreeBSD 3.0-CURRENT #8: Sun May 25 15:43:56 CEST 1997     aagero@birk04.studby.uio.no:/usr/src/sys/compile/AAGE  i386

built from the very latest sources, with peter wemm's latest changes in the
divert code.

>Description:

	when binding to an divert socket, div_bind() in ip_divert.c calls
	in_pcbbind() with an unset inpcb struct pointer, resulting in a
	panic.

>How-To-Repeat:

	pseudo-code:

 	int divsock;
	divsock = socket(..., IPPROT_DIVERT);
	bind(divsock, ...);
 	<panic>

>Fix:
	
--- ip_divert.c.old     Sat May 24 19:23:11 1997
+++ ip_divert.c Sun May 25 15:53:43 1997
@@ -311,6 +311,7 @@
        int s;
        int error;
 
+       inp = sotoinpcb(so);
        s = splnet();
        error = in_pcbbind(inp, nam, p);
        splx(s);
	

>Audit-Trail:
>Unformatted: