sa_len of 0 in ioctl paths, etc. and bogus routes

Sun, 09 Apr 2006 05:55:22 -0700 

Hi,

attached patch and description is for testing and further discussion.
You can also fetch it from
http://sources.zabbadoz.net/freebsd/patchset/EXPERIMENTAL/sys-net-route.c.diff
! ! These checks are needed so we do not install a route looking 
! like this:
! (0)                10.111.66.200      UH       tun0 =>
! ! When removing this route the kernel will start to walk 
! the address space which looks like a hang on amd64 because
! it'll take AGES and on 32bit arch might lead to an insta-panic
! when kernel debugging options are turned on.
! ! The problem is in rtrequest1: 
!       if (netmask) {
!               rt_maskedcopy(dst, ndst, netmask);
!       } else
!               bcopy(dst, ndst, dst->sa_len);
! ! In both cases the len might be 0 if the application forgot to 
! set it. This is an application error but as it can 'stall'
! your system upon removing of the bogus route it has to be
! prevented.
! If it is not  ndst will be all-zero leading to above mentioned
! strange routes.
! ! I hit this twice using IOCTLs deprecated since rev. 1 of FreeBSD 
! soure and still in the tree. They are descriped by Stevens and that
! might be the reason I had used them in my own code initially.
! Today I know exactly one application (after I had changed my own code)
! still using them and I just fixed usage of that.
! ! I haven't checked if this can also be triggered by using ! SIOCAIFADDR, etc. ! ! Looks good says: gnn 
! Tested by:            you?
! ! We should probably catch a sa_len of 0 as early as possible in ioctl paths 
! too (suggested by gnn).
! Index: route.c 
===================================================================
RCS file: /shared/mirror/FreeBSD/r/ncvs/src/sys/net/route.c,v
retrieving revision 1.114
diff -u -p -r1.114 route.c
--- route.c     11 Nov 2005 16:04:48 -0000      1.114
+++ route.c     9 Apr 2006 12:12:38 -0000
@@ -499,6 +499,9 @@ rtrequest(int req,
 {
        struct rt_addrinfo info;

+       if (dst->sa_len == 0)
+               return(EINVAL);
+
        bzero((caddr_t)&info, sizeof(info));
        info.rti_flags = flags;
        info.rti_info[RTAX_DST] = dst;
@@ -1137,6 +1140,9 @@ rtinit(struct ifaddr *ifa, int cmd, int
                dst = ifa->ifa_addr;
                netmask = ifa->ifa_netmask;
        }
+       if (dst->sa_len == 0)
+               return(EINVAL);
+
        /*
         * If it's a delete, check that if it exists, it's on the correct
         * interface or we might scrub a route to another ifa which would

--
Bjoern A. Zeeb                          bzeeb at Zabbadoz dot NeT
_______________________________________________
freebsd-net@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-net
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Reply via email to