NetBSD Problem Report #47311
From www@NetBSD.org Tue Dec 11 14:51:50 2012
Return-Path: <www@NetBSD.org>
Received: from mail.netbsd.org (mail.netbsd.org [149.20.53.66])
by www.NetBSD.org (Postfix) with ESMTP id 7717263E81D
for <gnats-bugs@gnats.NetBSD.org>; Tue, 11 Dec 2012 14:51:50 +0000 (UTC)
Message-Id: <20121211145149.325E263E81D@www.NetBSD.org>
Date: Tue, 11 Dec 2012 14:51:49 +0000 (UTC)
From: uwe@NetBSD.org
Reply-To: uwe@NetBSD.org
To: gnats-bugs@NetBSD.org
Subject: rtadvd(8) crashes when RA arrives on a newly created interface
X-Send-Pr-Version: www-1.0
>Number: 47311
>Category: bin
>Synopsis: rtadvd(8) crashes when RA arrives on a newly created interface
>Confidential: no
>Severity: non-critical
>Priority: low
>Responsible: bin-bug-people
>State: closed
>Class: sw-bug
>Submitter-Id: net
>Arrival-Date: Tue Dec 11 14:55:00 +0000 2012
>Closed-Date: Mon Nov 26 08:04:58 +0000 2018
>Last-Modified: Mon Nov 26 08:04:58 +0000 2018
>Originator: Valery Ushakov
>Release: NetBSD 6
>Organization:
>Environment:
NetBSD amd64 6.0_STABLE NetBSD 6.0_STABLE (GENERIC) #0: Sun Nov 18 04:21:07 MSK 2012 uwe@amd64:/home/uwe/work/netbsd/cvs/src-release-6/sys/arch/amd64/compile/GENERIC amd64
>Description:
When rtadvd(8) is up and running and a new interface is created behind
its back it doesn't notice that. When later an RA arrives on a new
interface rtadvd(8) crashes at rtadvd.c:617 (line number as of rev. 1.38):
if ((iflist[pi->ipi6_ifindex]->ifm_flags & IFF_UP) == 0) {
where pi->ipi6_ifindex names a new interface and it's out of bounds for
iflist[] array that was populated before the new interface was created.
>How-To-Repeat:
I don't have a ready test case to reproduce it. What I'm doing is I'm
playing with lwIP stack using tap(4) bridge(4)'ed to the real ethernet.
The system has
rtadvd=YES
rtadvd_flags="wm2"
in rc.conf(5) so rtadvd(8) is started at boot. Later I create a tap interface bridged to wm1 and run lwIP on that tap. When my lwIP app sends its first RA out on tap, rtadvd(8) crashes as described.
To reproduce this it's probably easiest to just create/open a tap and send canned ethernet frame with RA packet in it.
>Fix:
>Release-Note:
>Audit-Trail:
From: christos@zoulas.com (Christos Zoulas)
To: gnats-bugs@NetBSD.org, gnats-admin@netbsd.org, netbsd-bugs@netbsd.org
Cc:
Subject: Re: bin/47311: rtadvd(8) crashes when RA arrives on a newly created interface
Date: Tue, 11 Dec 2012 12:02:09 -0500
On Dec 11, 2:55pm, uwe@NetBSD.org (uwe@NetBSD.org) wrote:
-- Subject: bin/47311: rtadvd(8) crashes when RA arrives on a newly created i
| >Number: 47311
| >Category: bin
| >Synopsis: rtadvd(8) crashes when RA arrives on a newly created interface
| >Confidential: no
| >Severity: non-critical
| >Priority: low
| >Responsible: bin-bug-people
| >State: open
| >Class: sw-bug
| >Submitter-Id: net
| >Arrival-Date: Tue Dec 11 14:55:00 +0000 2012
| >Originator: Valery Ushakov
| >Release: NetBSD 6
| >Organization:
| >Environment:
| NetBSD amd64 6.0_STABLE NetBSD 6.0_STABLE (GENERIC) #0: Sun Nov 18 04:21:07 MSK 2012 uwe@amd64:/home/uwe/work/netbsd/cvs/src-release-6/sys/arch/amd64/compile/GENERIC amd64
|
| >Description:
| When rtadvd(8) is up and running and a new interface is created behind
| its back it doesn't notice that. When later an RA arrives on a new
| interface rtadvd(8) crashes at rtadvd.c:617 (line number as of rev. 1.38):
|
| if ((iflist[pi->ipi6_ifindex]->ifm_flags & IFF_UP) == 0) {
|
| where pi->ipi6_ifindex names a new interface and it's out of bounds for
| iflist[] array that was populated before the new interface was created.
|
| >How-To-Repeat:
| I don't have a ready test case to reproduce it. What I'm doing is I'm
| playing with lwIP stack using tap(4) bridge(4)'ed to the real ethernet.
|
| The system has
|
| rtadvd=YES
| rtadvd_flags="wm2"
|
| in rc.conf(5) so rtadvd(8) is started at boot. Later I create a tap interface bridged to wm1 and run lwIP on that tap. When my lwIP app sends its first RA out on tap, rtadvd(8) crashes as described.
|
| To reproduce this it's probably easiest to just create/open a tap and send canned ethernet frame with RA packet in it.
should make it handle RTM_IFANNOUNCE. The FreeBSD code does it; perhaps use
theirs?
christos
From: "Roy Marples" <roy@netbsd.org>
To: gnats-bugs@gnats.NetBSD.org
Cc:
Subject: PR/47311 CVS commit: src/usr.sbin/rtadvd
Date: Thu, 13 Dec 2012 15:36:36 +0000
Module Name: src
Committed By: roy
Date: Thu Dec 13 15:36:36 UTC 2012
Modified Files:
src/usr.sbin/rtadvd: advcap.c config.c config.h dump.c if.c if.h
rrenum.c rtadvd.8 rtadvd.c rtadvd.h timer.c
Log Message:
Remove the iflist array and store ifflags in rainfo.
Add support for SIGHUP to re-read the configuration for each interface.
If an invalid configuration is found, we continue to use the old one;
otherwise we expire the current one and then start advertising the new one.
Specififed interfaces don't have to exist at startup.
If specified interfaces arrive, load their config and start advertising.
If they depart, remove their rainfo structure and continue.
Fixes PR/43881 and PR/47311
To generate a diff of this commit:
cvs rdiff -u -r1.13 -r1.14 src/usr.sbin/rtadvd/advcap.c
cvs rdiff -u -r1.29 -r1.30 src/usr.sbin/rtadvd/config.c
cvs rdiff -u -r1.8 -r1.9 src/usr.sbin/rtadvd/config.h
cvs rdiff -u -r1.9 -r1.10 src/usr.sbin/rtadvd/dump.c src/usr.sbin/rtadvd/if.h
cvs rdiff -u -r1.21 -r1.22 src/usr.sbin/rtadvd/if.c
cvs rdiff -u -r1.14 -r1.15 src/usr.sbin/rtadvd/rrenum.c
cvs rdiff -u -r1.22 -r1.23 src/usr.sbin/rtadvd/rtadvd.8
cvs rdiff -u -r1.38 -r1.39 src/usr.sbin/rtadvd/rtadvd.c
cvs rdiff -u -r1.11 -r1.12 src/usr.sbin/rtadvd/rtadvd.h
cvs rdiff -u -r1.10 -r1.11 src/usr.sbin/rtadvd/timer.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
State-Changed-From-To: open->feedback
State-Changed-By: dholland@NetBSD.org
State-Changed-When: Fri, 21 Dec 2012 20:50:24 +0000
State-Changed-Why:
fixed?
(and should we pull this up to -6?)
From: "Valeriy E. Ushakov" <uwe@stderr.spb.ru>
To: gnats-bugs@NetBSD.org
Cc:
Subject: Re: bin/47311 (rtadvd(8) crashes when RA arrives on a newly created interface)
Date: Tue, 25 Dec 2012 18:41:31 +0400
On Fri, Dec 21, 2012 at 20:50:26 +0000, dholland@NetBSD.org wrote:
> fixed?
It doesn't crash now.
> (and should we pull this up to -6?)
Probably, but I'd defer to Roy.
-uwe
State-Changed-From-To: feedback->open
State-Changed-By: dholland@NetBSD.org
State-Changed-When: Mon, 25 Feb 2013 08:26:43 +0000
State-Changed-Why:
Fixed, should be pulled up to -6
State-Changed-From-To: open->closed
State-Changed-By: dholland@NetBSD.org
State-Changed-When: Mon, 26 Nov 2018 08:04:58 +0000
State-Changed-Why:
-6 is EOL
>Unformatted:
(Contact us)
$NetBSD: query-full-pr,v 1.43 2018/01/16 07:36:43 maya Exp $
$NetBSD: gnats_config.sh,v 1.9 2014/08/02 14:16:04 spz Exp $
Copyright © 1994-2017
The NetBSD Foundation, Inc. ALL RIGHTS RESERVED.
Home