Date: Sun, 9 Apr 2006 12:54:03 +0000 (UTC) From: "Bjoern A. Zeeb" <bzeeb-lists@lists.zabbadoz.net> To: FreeBSD net mailing list <net@freebsd.org> Subject: sa_len of 0 in ioctl paths, etc. and bogus routes Message-ID: <20060409124834.F30410@maildrop.int.zabbadoz.net>
next in thread | raw e-mail | index | archive | help
Hi, attached patch and description is for testing and further discussion. You can also fetch it from http://sources.zabbadoz.net/freebsd/patchset/EXPERIMENTAL/sys-net-route.c.diff ! ! These checks are needed so we do not install a route looking ! like this: ! (0) 10.111.66.200 UH tun0 => ! ! When removing this route the kernel will start to walk ! the address space which looks like a hang on amd64 because ! it'll take AGES and on 32bit arch might lead to an insta-panic ! when kernel debugging options are turned on. ! ! The problem is in rtrequest1: ! if (netmask) { ! rt_maskedcopy(dst, ndst, netmask); ! } else ! bcopy(dst, ndst, dst->sa_len); ! ! In both cases the len might be 0 if the application forgot to ! set it. This is an application error but as it can 'stall' ! your system upon removing of the bogus route it has to be ! prevented. ! If it is not ndst will be all-zero leading to above mentioned ! strange routes. ! ! I hit this twice using IOCTLs deprecated since rev. 1 of FreeBSD ! soure and still in the tree. They are descriped by Stevens and that ! might be the reason I had used them in my own code initially. ! Today I know exactly one application (after I had changed my own code) ! still using them and I just fixed usage of that. ! ! I haven't checked if this can also be triggered by using ! SIOCAIFADDR, etc. ! ! Looks good says: gnn ! Tested by: you? ! ! We should probably catch a sa_len of 0 as early as possible in ioctl paths ! too (suggested by gnn). ! Index: route.c =================================================================== RCS file: /shared/mirror/FreeBSD/r/ncvs/src/sys/net/route.c,v retrieving revision 1.114 diff -u -p -r1.114 route.c --- route.c 11 Nov 2005 16:04:48 -0000 1.114 +++ route.c 9 Apr 2006 12:12:38 -0000 @@ -499,6 +499,9 @@ rtrequest(int req, { struct rt_addrinfo info; + if (dst->sa_len == 0) + return(EINVAL); + bzero((caddr_t)&info, sizeof(info)); info.rti_flags = flags; info.rti_info[RTAX_DST] = dst; @@ -1137,6 +1140,9 @@ rtinit(struct ifaddr *ifa, int cmd, int dst = ifa->ifa_addr; netmask = ifa->ifa_netmask; } + if (dst->sa_len == 0) + return(EINVAL); + /* * If it's a delete, check that if it exists, it's on the correct * interface or we might scrub a route to another ifa which would -- Bjoern A. Zeeb bzeeb at Zabbadoz dot NeT
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20060409124834.F30410>