NetBSD Problem Report #42923
From hash@abox3.so-net.ne.jp Fri Mar 5 07:49:52 2010
Return-Path: <hash@abox3.so-net.ne.jp>
Received: from mail.netbsd.org (mail.netbsd.org [204.152.190.11])
by www.NetBSD.org (Postfix) with ESMTP id 5BE5363B11D
for <gnats-bugs@gnats.NetBSD.org>; Fri, 5 Mar 2010 07:49:52 +0000 (UTC)
Message-Id: <20100305164735.BD89.17947C80@abox3.so-net.ne.jp>
Date: Fri, 05 Mar 2010 16:49:48 +0900
From: Takahiro HAYASHI <hash@abox3.so-net.ne.jp>
To: gnats-bugs@gnats.NetBSD.org
Cc: hash@abox3.so-net.ne.jp
Subject: pppd(8) catches SIGSEGV after IPv6CP link is up
>Number: 42923
>Category: bin
>Synopsis: pppd(8) catches SIGSEGV after IPv6CP link is up
>Confidential: no
>Severity: serious
>Priority: medium
>Responsible: bin-bug-people
>State: closed
>Class: sw-bug
>Submitter-Id: net
>Arrival-Date: Fri Mar 05 07:50:00 +0000 2010
>Closed-Date: Sat Apr 02 10:20:04 +0000 2011
>Last-Modified: Sat Apr 02 10:35:01 +0000 2011
>Originator: Takahiro Hayashi
>Release: NetBSD-current 5.99.24 checked out on Feb 25 02:59:20 GMT 2010
>Organization:
>Environment:
System: NetBSD halt 5.99.24 NetBSD 5.99.24 (UNION) #2: Tue Mar 2 09:16:58 JST 2010 root@peer:/usr/build/obj.i386/sys/arch/i386/compile/UNION i386
Architecture: i386
Machine: i386
>Description:
pppd(8) catches SIGSEGV while it configures pppN interface.
This happens when only IPv6CP link is up.
In pppd/pppd/sys-bsd.c the ipv6 prefixmask of interface is
memset(), however, the specified address is beyond the size
of structure (see below patch).
>How-To-Repeat:
Configure pppd to establish IPv6CP link and start it.
>Fix:
This patch may help.
Index: usr.sbin/pppd/pppd/sys-bsd.c
===================================================================
RCS file: /cvsroot/src/usr.sbin/pppd/pppd/sys-bsd.c,v
retrieving revision 1.61
diff -u -u -r1.61 sys-bsd.c
--- usr.sbin/pppd/pppd/sys-bsd.c 14 Nov 2009 04:47:03 -0000 1.61
+++ usr.sbin/pppd/pppd/sys-bsd.c 5 Mar 2010 06:11:51 -0000
@@ -793,9 +793,9 @@
addreq6.ifra_prefixmask.sin6_len = sizeof(struct sockaddr_in6);
memset(&addreq6.ifra_prefixmask.sin6_addr, 0xff,
sizeof(addreq6.ifra_prefixmask.sin6_addr) - sizeof(our_eui64));
- memset(&addreq6.ifra_prefixmask.sin6_addr +
- sizeof(addreq6.ifra_prefixmask.sin6_addr) - sizeof(our_eui64), 0x00,
- sizeof(our_eui64));
+ memset(&addreq6.ifra_prefixmask.sin6_addr.s6_addr
+ [sizeof(addreq6.ifra_prefixmask.sin6_addr) - sizeof(our_eui64)],
+ 0x00, sizeof(our_eui64));
/* address lifetime (infty) */
addreq6.ifra_lifetime.ia6t_pltime = ND6_INFINITE_LIFETIME;
--
Takahiro Hayashi <hash@abox3.so-net.ne.jp>
>Release-Note:
>Audit-Trail:
From: Takahiro HAYASHI <hash@abox3.so-net.ne.jp>
To: gnats-bugs@netbsd.org
Cc: gnats-admin@netbsd.org, netbsd-bugs@netbsd.org
Subject: Re: bin/42923: pppd(8) catches SIGSEGV after IPv6CP link is up
Date: Tue, 01 Mar 2011 14:01:50 +0900
Simpler patch is provided:
Index: src/usr.sbin/pppd/pppd/sys-bsd.c
===================================================================
RCS file: /cvsroot/src/usr.sbin/pppd/pppd/sys-bsd.c,v
retrieving revision 1.62
diff -u -r1.62 sys-bsd.c
--- src/usr.sbin/pppd/pppd/sys-bsd.c 10 Mar 2010 13:45:39 -0000 1.62
+++ src/usr.sbin/pppd/pppd/sys-bsd.c 19 Feb 2011 21:36:45 -0000
@@ -793,7 +793,7 @@
addreq6.ifra_prefixmask.sin6_len = sizeof(struct sockaddr_in6);
memset(&addreq6.ifra_prefixmask.sin6_addr, 0xff,
sizeof(addreq6.ifra_prefixmask.sin6_addr) - sizeof(our_eui64));
- memset(&addreq6.ifra_prefixmask.sin6_addr +
+ memset((char *)&addreq6.ifra_prefixmask.sin6_addr +
sizeof(addreq6.ifra_prefixmask.sin6_addr) - sizeof(our_eui64), 0x00,
sizeof(our_eui64));
The pointer passed to memset() should be advanced 8 bytes,
but the original code advances sizeof(struct in6_addr) * 8 bytes.
This may cause stack breakage.
--
Takahiro HAYASHI
State-Changed-From-To: open->closed
State-Changed-By: mbalmer@NetBSD.org
State-Changed-When: Sat, 02 Apr 2011 10:20:04 +0000
State-Changed-Why:
Fix applied, thanks.
From: "Marc Balmer" <mbalmer@netbsd.org>
To: gnats-bugs@gnats.NetBSD.org
Cc:
Subject: PR/42923 CVS commit: src/usr.sbin/pppd/pppd
Date: Sat, 2 Apr 2011 10:19:27 +0000
Module Name: src
Committed By: mbalmer
Date: Sat Apr 2 10:19:27 UTC 2011
Modified Files:
src/usr.sbin/pppd/pppd: sys-bsd.c
Log Message:
Fix PR 42923, from Takahiro HAYASHI, thanks.
To generate a diff of this commit:
cvs rdiff -u -r1.62 -r1.63 src/usr.sbin/pppd/pppd/sys-bsd.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
>Unformatted:
(Contact us)
$NetBSD: query-full-pr,v 1.39 2013/11/01 18:47:49 spz Exp $
$NetBSD: gnats_config.sh,v 1.8 2006/05/07 09:23:38 tsutsui Exp $
Copyright © 1994-2007
The NetBSD Foundation, Inc. ALL RIGHTS RESERVED.
Home