From owner-freebsd-bugs@FreeBSD.ORG Thu Nov 11 19:20:10 2010 Return-Path: Delivered-To: freebsd-bugs@hub.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 50B781065679 for ; Thu, 11 Nov 2010 19:20:10 +0000 (UTC) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id 300728FC12 for ; Thu, 11 Nov 2010 19:20:10 +0000 (UTC) Received: from freefall.freebsd.org (localhost [127.0.0.1]) by freefall.freebsd.org (8.14.4/8.14.4) with ESMTP id oABJKADo088702 for ; Thu, 11 Nov 2010 19:20:10 GMT (envelope-from gnats@freefall.freebsd.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.14.4/8.14.4/Submit) id oABJKAW0088701; Thu, 11 Nov 2010 19:20:10 GMT (envelope-from gnats) Resent-Date: Thu, 11 Nov 2010 19:20:10 GMT Resent-Message-Id: <201011111920.oABJKAW0088701@freefall.freebsd.org> Resent-From: FreeBSD-gnats-submit@FreeBSD.org (GNATS Filer) Resent-To: freebsd-bugs@FreeBSD.org Resent-Reply-To: FreeBSD-gnats-submit@FreeBSD.org, Przemyslaw Frasunek Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id A7A9E106564A for ; Thu, 11 Nov 2010 19:14:57 +0000 (UTC) (envelope-from venglin@freebsd.lublin.pl) Received: from lagoon.freebsd.lublin.pl (lagoon.freebsd.lublin.pl [IPv6:2001:1a68:2:2::3]) by mx1.freebsd.org (Postfix) with ESMTP id 30D048FC12 for ; Thu, 11 Nov 2010 19:14:57 +0000 (UTC) Received: by lagoon.freebsd.lublin.pl (Postfix, from userid 3000) id 7113A23944A; Thu, 11 Nov 2010 20:14:55 +0100 (CET) Message-Id: <20101111191455.7113A23944A@lagoon.freebsd.lublin.pl> Date: Thu, 11 Nov 2010 20:14:55 +0100 (CET) From: Przemyslaw Frasunek To: FreeBSD-gnats-submit@FreeBSD.org X-Send-Pr-Version: 3.113 Cc: Subject: bin/152143: [PATCH] rtadvd(8) null pointer dereference X-BeenThere: freebsd-bugs@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: Przemyslaw Frasunek List-Id: Bug reports List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 11 Nov 2010 19:20:10 -0000 >Number: 152143 >Category: bin >Synopsis: [PATCH] rtadvd(8) null pointer dereference >Confidential: no >Severity: non-critical >Priority: medium >Responsible: freebsd-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: sw-bug >Submitter-Id: current-users >Arrival-Date: Thu Nov 11 19:20:09 UTC 2010 >Closed-Date: >Last-Modified: >Originator: Przemyslaw Frasunek >Release: FreeBSD 7.3-RELEASE i386 >Organization: Nette sp. z o.o. >Environment: Generic 7.3-RELEASE >Description: rtadvd(8) crashes sporadically on machines with large number of dynamically created network interfaces (ng, vlan, tap, ...). This is due to null pointer dereference caused by race condition, when the interface is being destroyed. See patch below. >How-To-Repeat: See above. >Fix: --- rtadvd.c.old 2010-02-10 01:26:20.000000000 +0100 +++ rtadvd.c 2010-11-11 20:08:24.000000000 +0100 @@ -659,7 +659,7 @@ * If we happen to receive data on an interface which is now * down, * just discard the data. */ - if ((iflist[pi->ipi6_ifindex]->ifm_flags & IFF_UP) == 0) { + if ((iflist[pi->ipi6_ifindex] == NULL || iflist[pi->ipi6_ifindex]->ifm_flags & IFF_UP) == 0) { syslog(LOG_INFO, "<%s> received data on a disabled interface (%s)", __func__, >Release-Note: >Audit-Trail: >Unformatted: