Date: Thu, 11 Nov 2010 20:14:55 +0100 (CET) From: Przemyslaw Frasunek <venglin@freebsd.lublin.pl> To: FreeBSD-gnats-submit@FreeBSD.org Subject: bin/152143: [PATCH] rtadvd(8) null pointer dereference Message-ID: <20101111191455.7113A23944A@lagoon.freebsd.lublin.pl> Resent-Message-ID: <201011111920.oABJKAW0088701@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
>Number: 152143
>Category: bin
>Synopsis: [PATCH] rtadvd(8) null pointer dereference
>Confidential: no
>Severity: non-critical
>Priority: medium
>Responsible: freebsd-bugs
>State: open
>Quarter:
>Keywords:
>Date-Required:
>Class: sw-bug
>Submitter-Id: current-users
>Arrival-Date: Thu Nov 11 19:20:09 UTC 2010
>Closed-Date:
>Last-Modified:
>Originator: Przemyslaw Frasunek
>Release: FreeBSD 7.3-RELEASE i386
>Organization:
Nette sp. z o.o.
>Environment:
Generic 7.3-RELEASE
>Description:
rtadvd(8) crashes sporadically on machines with large number
of dynamically created network interfaces (ng, vlan, tap, ...).
This is due to null pointer dereference caused by race
condition, when the interface is being destroyed. See patch below.
>How-To-Repeat:
See above.
>Fix:
--- rtadvd.c.old 2010-02-10 01:26:20.000000000 +0100
+++ rtadvd.c 2010-11-11 20:08:24.000000000 +0100
@@ -659,7 +659,7 @@
* If we happen to receive data on an interface which is now
* down,
* just discard the data.
*/
- if ((iflist[pi->ipi6_ifindex]->ifm_flags & IFF_UP) == 0) {
+ if ((iflist[pi->ipi6_ifindex] == NULL || iflist[pi->ipi6_ifindex]->ifm_flags & IFF_UP) == 0) {
syslog(LOG_INFO,
"<%s> received data on a disabled interface
(%s)",
__func__,
>Release-Note:
>Audit-Trail:
>Unformatted:
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20101111191455.7113A23944A>