Date: Mon, 26 Jul 2004 22:13:44 +0300 From: Peter Pentchev <roam@ringlet.net> To: net@FreeBSD.org Subject: [CFR] if_xl.c and if.c null pointer dereferences Message-ID: <20040726191344.GC1055@straylight.m.ringlet.net>
next in thread | raw e-mail | index | archive | help
--8bBEDOJVaa9YlTAt Content-Type: multipart/mixed; boundary="cz6wLo+OExbGG7q/" Content-Disposition: inline --cz6wLo+OExbGG7q/ Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Hi, A couple of days ago I was handed a new machine with a 3Com 905B card. Before remembering the PNP OS option in the BIOS, I stumbled across a couple of null pointer dereferences leading to kernel panics when FreeBSD 4.10-STABLE could not map the card's resources and attempted to "clean up" the driver state before it had enough state to begin with. Attached are two patches, one to if_xl.c and one to if.c, which avoid "cleaning up" data at pointers that have not been initialized yet. Although this will not happen in normal operation, there's no need for the kernel to panic instead of simply reporting that it could not get the PCI resources it needs :) G'luck, Peter --=20 Peter Pentchev roam@ringlet.net roam@cnsys.bg roam@FreeBSD.org PGP key: http://people.FreeBSD.org/~roam/roam.key.asc Key fingerprint FDBA FD79 C26F 3C51 C95E DF9E ED18 B68D 1619 4553 If this sentence were in Chinese, it would say something else. --cz6wLo+OExbGG7q/ Content-Type: text/plain; charset=us-ascii Content-Disposition: attachment; filename="init-if.patch" Content-Transfer-Encoding: quoted-printable Index: src/sys/net/if.c =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D RCS file: /home/ncvs/src/sys/net/if.c,v retrieving revision 1.195 diff -u -r1.195 if.c --- src/sys/net/if.c 22 Jun 2004 20:13:25 -0000 1.195 +++ src/sys/net/if.c 9 Jul 2004 14:27:49 -0000 @@ -516,6 +516,8 @@ int s; int i; struct domain *dp; + struct ifnet *iter; + int found; =20 EVENTHANDLER_INVOKE(ifnet_departure_event, ifp); /* @@ -582,9 +584,11 @@ =20 =20 /* We can now free link ifaddr. */ - ifa =3D TAILQ_FIRST(&ifp->if_addrhead); - TAILQ_REMOVE(&ifp->if_addrhead, ifa, ifa_link); - IFAFREE(ifa); + if (!TAILQ_EMPTY(&ifp->if_addrhead)) { + ifa =3D TAILQ_FIRST(&ifp->if_addrhead); + TAILQ_REMOVE(&ifp->if_addrhead, ifa, ifa_link); + IFAFREE(ifa); + } =20 /* * Delete all remaining routes using this interface @@ -616,7 +620,14 @@ #endif /* MAC */ KNOTE(&ifp->if_klist, NOTE_EXIT); IFNET_WLOCK(); - TAILQ_REMOVE(&ifnet, ifp, if_link); + found =3D 0; + TAILQ_FOREACH(iter, &ifnet, if_link) + if (iter =3D=3D ifp) { + found =3D 1; + break; + } + if (found) + TAILQ_REMOVE(&ifnet, ifp, if_link); IFNET_WUNLOCK(); mtx_destroy(&ifp->if_snd.ifq_mtx); IF_AFDATA_DESTROY(ifp); --cz6wLo+OExbGG7q/ Content-Type: text/plain; charset=us-ascii Content-Disposition: attachment; filename="init-xl.patch" Content-Transfer-Encoding: quoted-printable Index: src/sys/pci/if_xl.c =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D RCS file: /home/ncvs/src/sys/pci/if_xl.c,v retrieving revision 1.178 diff -u -r1.178 if_xl.c --- src/sys/pci/if_xl.c 9 Jul 2004 02:28:23 -0000 1.178 +++ src/sys/pci/if_xl.c 9 Jul 2004 14:26:45 -0000 @@ -3169,7 +3169,8 @@ sc->xl_cdata.xl_rx_chain[i].xl_mbuf =3D NULL; } } - bzero(sc->xl_ldata.xl_rx_list, XL_RX_LIST_SZ); + if (sc->xl_ldata.xl_rx_list !=3D NULL) + bzero(sc->xl_ldata.xl_rx_list, XL_RX_LIST_SZ); /* * Free the TX list buffers. */ @@ -3183,7 +3184,8 @@ sc->xl_cdata.xl_tx_chain[i].xl_mbuf =3D NULL; } } - bzero(sc->xl_ldata.xl_tx_list, XL_TX_LIST_SZ); + if (sc->xl_ldata.xl_tx_list !=3D NULL) + bzero(sc->xl_ldata.xl_tx_list, XL_TX_LIST_SZ); =20 ifp->if_flags &=3D ~(IFF_RUNNING | IFF_OACTIVE); } --cz6wLo+OExbGG7q/-- --8bBEDOJVaa9YlTAt Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (FreeBSD) iD8DBQFBBVfo7Ri2jRYZRVMRAqJrAJ4r8FKS5ZUPvObPueHBUwhZEVCWWACgtGNt U2a+3mpcoy8bAwyfvsbW2oU= =IShT -----END PGP SIGNATURE----- --8bBEDOJVaa9YlTAt--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20040726191344.GC1055>