NetBSD Problem Report #43881

From mlelstv@henery.1st.de  Wed Sep 15 05:22:03 2010
Return-Path: <mlelstv@henery.1st.de>
Received: from mail.netbsd.org (mail.netbsd.org [204.152.190.11])
	by www.NetBSD.org (Postfix) with ESMTP id 4431463B960
	for <gnats-bugs@gnats.NetBSD.org>; Wed, 15 Sep 2010 05:22:03 +0000 (UTC)
Message-Id: <20100915052139.5FF842817C@henery.1st.de>
Date: Wed, 15 Sep 2010 07:21:39 +0200 (CEST)
From: mlelstv@serpens.de
Reply-To: mlelstv@serpens.de
To: gnats-bugs@gnats.NetBSD.org
Subject: rtadvd crashes when interfaces are created
X-Send-Pr-Version: 3.95

>Number:         43881
>Category:       bin
>Synopsis:       rtadvd crashes when interfaces are created
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    bin-bug-people
>State:          closed
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Wed Sep 15 05:25:00 +0000 2010
>Closed-Date:    Mon Oct 07 07:47:43 +0000 2013
>Last-Modified:  Mon Oct 07 07:47:43 +0000 2013
>Originator:     Michael van Elst
>Release:        NetBSD 4.0_STABLE
>Organization:
-- 
                                Michael van Elst
Internet: mlelstv@serpens.de
                                "A potential Snark may lurk in every tree."
>Environment:


System: NetBSD henery 4.0_STABLE NetBSD 4.0_STABLE (HENERY) #33: Sat Sep 4 13:49:00 CEST 2010 mlelstv@henery:/home/netbsd4/obj.i386/home/netbsd4/src/sys/arch/i386/compile/HENERY i386
Architecture: i386
Machine: i386
>Description:
rtadvd dumped core after destroying and creating IPv6 interfaces.

The coredump showed that the crash happens in rtavd_input.

#0  0x08049fa8 in rtadvd_input ()
#1  0x0804af0d in main ()

eip            0x8049fa8        0x8049fa8 <rtadvd_input+308>

In particular:

        if ((iflist[pi->ipi6_ifindex]->ifm_flags & IFF_UP) == 0) {

uses a NULL pointer.

Iflist is a table created once in init_iflist() and filled sparsely
with kernel data.  Data for unused interface indexes is not initialized
(but happens to be zero). The assumption is probably that all indexes
are used.

rtadvd_input() does only some crude sanity checking by ignoring
messages from interface index zero. It doesn't validate the index
against the table size and it may use uninitialized entries.

N.B. the same code is in -current.

>How-To-Repeat:
Start rtadvd, create new interfaces that accept routing advertisements.

>Fix:


>Release-Note:

>Audit-Trail:
From: "Roy Marples" <roy@netbsd.org>
To: gnats-bugs@gnats.NetBSD.org
Cc: 
Subject: PR/43881 CVS commit: src/usr.sbin/rtadvd
Date: Thu, 13 Dec 2012 15:36:36 +0000

 Module Name:	src
 Committed By:	roy
 Date:		Thu Dec 13 15:36:36 UTC 2012

 Modified Files:
 	src/usr.sbin/rtadvd: advcap.c config.c config.h dump.c if.c if.h
 	    rrenum.c rtadvd.8 rtadvd.c rtadvd.h timer.c

 Log Message:
 Remove the iflist array and store ifflags in rainfo.

 Add support for SIGHUP to re-read the configuration for each interface.
 If an invalid configuration is found, we continue to use the old one;
 otherwise we expire the current one and then start advertising the new one.

 Specififed interfaces don't have to exist at startup.
 If specified interfaces arrive, load their config and start advertising.
 If they depart, remove their rainfo structure and continue.

 Fixes PR/43881 and PR/47311


 To generate a diff of this commit:
 cvs rdiff -u -r1.13 -r1.14 src/usr.sbin/rtadvd/advcap.c
 cvs rdiff -u -r1.29 -r1.30 src/usr.sbin/rtadvd/config.c
 cvs rdiff -u -r1.8 -r1.9 src/usr.sbin/rtadvd/config.h
 cvs rdiff -u -r1.9 -r1.10 src/usr.sbin/rtadvd/dump.c src/usr.sbin/rtadvd/if.h
 cvs rdiff -u -r1.21 -r1.22 src/usr.sbin/rtadvd/if.c
 cvs rdiff -u -r1.14 -r1.15 src/usr.sbin/rtadvd/rrenum.c
 cvs rdiff -u -r1.22 -r1.23 src/usr.sbin/rtadvd/rtadvd.8
 cvs rdiff -u -r1.38 -r1.39 src/usr.sbin/rtadvd/rtadvd.c
 cvs rdiff -u -r1.11 -r1.12 src/usr.sbin/rtadvd/rtadvd.h
 cvs rdiff -u -r1.10 -r1.11 src/usr.sbin/rtadvd/timer.c

 Please note that diffs are not public domain; they are subject to the
 copyright notices on the relevant files.

State-Changed-From-To: open->feedback
State-Changed-By: dholland@NetBSD.org
State-Changed-When: Mon, 07 Oct 2013 04:55:30 +0000
State-Changed-Why:
roy@ committed a fix last year, does it work?


From: Michael van Elst <mlelstv@serpens.de>
To: gnats-bugs@NetBSD.org
Cc: gnats-admin@NetBSD.org, netbsd-bugs@NetBSD.org, dholland@NetBSD.org
Subject: Re: bin/43881 (rtadvd crashes when interfaces are created)
Date: Mon, 7 Oct 2013 08:55:00 +0200

 On Mon, Oct 07, 2013 at 04:55:30AM +0000, dholland@NetBSD.org wrote:
 > Synopsis: rtadvd crashes when interfaces are created
 > 
 > State-Changed-From-To: open->feedback
 > State-Changed-By: dholland@NetBSD.org
 > State-Changed-When: Mon, 07 Oct 2013 04:55:30 +0000
 > State-Changed-Why:
 > roy@ committed a fix last year, does it work?

 I have no easy way to test this.

 Greetings,
 -- 
                                 Michael van Elst
 Internet: mlelstv@serpens.de
                                 "A potential Snark may lurk in every tree."

State-Changed-From-To: feedback->closed
State-Changed-By: dholland@NetBSD.org
State-Changed-When: Mon, 07 Oct 2013 07:47:43 +0000
State-Changed-Why:
Let's assume it's fixed then.


>Unformatted:
NetBSD Home
NetBSD PR Database Search
(Contact us) $NetBSD: query-full-pr,v 1.39 2013/11/01 18:47:49 spz Exp $
$NetBSD: gnats_config.sh,v 1.8 2006/05/07 09:23:38 tsutsui Exp $
Copyright © 1994-2007 The NetBSD Foundation, Inc. ALL RIGHTS RESERVED.