Skip site navigation (1)Skip section navigation (2) 
Date:      Mon, 10 Apr 2000 15:49:22 -0700 (PDT)
From:      Tom Pavel <pavel@NetworkPhysics.COM>
To:        FreeBSD-gnats-submit@freebsd.org
Subject:   kern/17911: unitialized var in netgraph msg code
Message-ID:  <200004102249.PAA00657@cyclone.networkphysics.com>
next in thread | raw e-mail | index | archive | help 

>Number:         17911
>Category:       kern
>Synopsis:       unitialized var in netgraph msg code
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    freebsd-bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Mon Apr 10 16:20:01 PDT 2000
>Closed-Date:
>Last-Modified:
>Originator:     Tom Pavel
>Release:        FreeBSD 3.4-RELEASE i386
>Organization:
Network Physics, Inc.
>Environment:

	Netgraph code in 3.4 or 3-STABLE (same bug in current).  

	Using:
        $FreeBSD: src/sys/netgraph/ng_base.c,v 1.6.2.9 1999/12/08 19:44:03 julian Exp $

	running on i386:
	cyclone[44]% uname -a
	FreeBSD cyclone.networkphysics.com 3.4-RELEASE FreeBSD 3.4-RELEASE #7: Mon Apr 10 12:03:55 PDT 2000     root@cyclone.networkphysics.com:/usr/src/sys/compile/NGTEST  i386


>Description:

	The "off" variable in the NGM_ASCII2BINARY case of
	ng_generic_msg() is unitialized.  This can lead to a kernel
	panic in strtol() (from e.g. ng_int32_parse()) if the variable
	happens to be initialized to a (nonzero) nonsensical value.

>How-To-Repeat:

	Hook up some netgraph modules, send a bunch of ngctl msg
	commands with numeric arguments, and wait for the kernel stack
	to churn a bit.

>Fix:
	
--- /sys/netgraph/ng_base.c     Wed Dec  8 11:44:03 1999
+++ ng_base.c   Mon Apr 10 12:03:19 2000
@@ -1519,7 +1519,7 @@
                const struct ng_cmdlist *c;
                const struct ng_parse_type *argstype;
                struct ng_mesg *rp, *ascii, *binary;
-               int off;
+               int off = 0;
 
                /* Data area must contain at least a struct ng_mesg + '\0' */
                ascii = (struct ng_mesg *)msg->data;


Tom Pavel

Network Physics
pavel@networkphysics.com / pavel@alum.mit.edu 

>Release-Note:
>Audit-Trail:
>Unformatted:


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-bugs" in the body of the message

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200004102249.PAA00657>