Date: Mon, 24 Jun 2013 17:31:04 GMT From: Florian Obser <florian+freebsd.gnats@narrans.de> To: freebsd-gnats-submit@FreeBSD.org Subject: bin/179931: infinite loop in rtsol(8) by sending an option with length 0 Message-ID: <201306241731.r5OHV4Mw000227@oldred.freebsd.org> Resent-Message-ID: <201306241740.r5OHe09H079197@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
>Number: 179931
>Category: bin
>Synopsis: infinite loop in rtsol(8) by sending an option with length 0
>Confidential: no
>Severity: non-critical
>Priority: low
>Responsible: freebsd-bugs
>State: open
>Quarter:
>Keywords:
>Date-Required:
>Class: sw-bug
>Submitter-Id: current-users
>Arrival-Date: Mon Jun 24 17:40:00 UTC 2013
>Closed-Date:
>Last-Modified:
>Originator: Florian Obser
>Release:
>Organization:
>Environment:
FreeBSD **** 9.1-RELEASE-p4 FreeBSD 9.1-RELEASE-p4 #0: Mon Jun 17 11:42:37 UTC 2013 root@amd64-builder.daemonology.net:/usr/obj/usr/src/sys/GENERIC amd64
>Description:
rtsol.c:
393 #define RA_OPT_NEXT_HDR(x) (struct nd_opt_hdr *)((char *)x + \
394 (((struct nd_opt_hdr *)x)->nd_opt_len * 8))
[...]
398 while (raoptp < (char *)icp + msglen) {
[...]
546 raoptp = (char *)RA_OPT_NEXT_HDR(raoptp);
547 }
Found while reading the code, unless I'm missing something, raoptp will never increase if nd_opt_len == 0 and with that the loop in line 398 will never terminate.
>How-To-Repeat:
>Fix:
>Release-Note:
>Audit-Trail:
>Unformatted:
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201306241731.r5OHV4Mw000227>