From owner-freebsd-net  Tue Nov 12 13:27:42 2002
Delivered-To: freebsd-net@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id C1C7A37B401
	for <net@freebsd.org>; Tue, 12 Nov 2002 13:27:40 -0800 (PST)
Received: from venus.vincentjardin.net (AVelizy-102-1-5-239.abo.wanadoo.fr [80.13.229.239])
	by mx1.FreeBSD.org (Postfix) with ESMTP id E368B43E3B
	for <net@freebsd.org>; Tue, 12 Nov 2002 13:27:34 -0800 (PST)
	(envelope-from jardin@venus.vincentjardin.net)
Received: by venus.vincentjardin.net (Postfix, from userid 501)
	id F200E10339E; Tue, 12 Nov 2002 22:44:36 +0100 (CET)
Content-Type: text/plain;
  charset="iso-8859-15"
From: Vincent Jardin <vjardin@wanadoo.fr>
To: net@freebsd.org
Subject: rn_walktree_from bug or feature ?
Date: Tue, 12 Nov 2002 22:44:36 +0100
X-Mailer: KMail [version 1.3.2]
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
Message-Id: <20021112214436.F200E10339E@venus.vincentjardin.net>
Sender: owner-freebsd-net@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-net.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-net>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-net>
X-Loop: FreeBSD.org

The function rn_walktree_from() accesses to the array xm, however when a 
default IPv4 route is removed (RTM_DELETE), rn has the following values:
  rn->rn_bmask = 0x80h
  xm = { 0, 0, 0, 0 }
  rn->offset = 4

Then, sometimes the following test:
  if (!(rn->rn_bmask & xm[rn->rn_offset]))
    break;
could lead to a panic when xm[4] is out of the 4KB pages. It happens very 
rarely.

I am wondering if it is a well-known bug or if our analyse is wrong.

static int
rn_walktree_from(h, a, m, f, w)
 [...]
    for (rn = h->rnh_treetop; rn->rn_bit >= 0; ) {
        last = rn;
        /* printf("rn_bit %d, rn_bmask %x, xm[rn_offset] %x\n",
               rn->rn_bit, rn->rn_bmask, xm[rn->rn_offset]); */
        if (!(rn->rn_bmask & xm[rn->rn_offset])) { /* XXX: panic ??? */
                break;
        }
        if (rn->rn_bmask & xa[rn->rn_offset]) {
                rn = rn->rn_right;
        } else {
                rn = rn->rn_left;
        }
    }
    [ ... ]


Regards,
  Vincent

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-net" in the body of the message