[Bug 283848] rtnl_handle_newroute() incomplete check of attrs.rta_table

2025-01-04 Thread bugzilla-noreply 
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=283848

Bug ID: 283848
   Summary: rtnl_handle_newroute() incomplete check of
attrs.rta_table
   Product: Base System
   Version: CURRENT
  Hardware: Any
OS: Any
Status: New
  Severity: Affects Some People
  Priority: ---
 Component: kern
  Assignee: b...@freebsd.org
  Reporter: r...@lcs.mit.edu
 Attachment #256427 text/plain
 mime type:

Created attachment 256427
  --> https://bugs.freebsd.org/bugzilla/attachment.cgi?id=256427&action=edit
pass a too-large rtm_table to RTM_NEWROUTE

The attached program passes an rtm_table that's too large to netlink
RTM_NEWROUTE. With INVARIANTS, this fails in rt_tables_get_rnh_ptr():

KASSERT(table < V_rt_numfibs,
("%s: table out of bounds (%d < %d)", __func__, table,
 V_rt_numfibs));

Without INVARIANTS, the function returns junk from beyond the end of
V_rt_tables rather than a proper pointer.

Perhaps a contributing factor is that rtnl_handle_newroute() only
checks rta_table in one arm of the "if":

if (attrs.rtm_table > 0 && attrs.rta_table == 0) {
/* pre-2.6.19 Linux API compatibility */
attrs.rta_table = attrs.rtm_table;
} else if (attrs.rta_table >= V_rt_numfibs) {
NLMSG_REPORT_ERR_MSG(npt, "invalid fib");
return (EINVAL);
}

I think also rtm_family ought to be checked against AF_MAX to avoid
tripping over the relevant KASSERT in rt_tables_get_rnh_ptr().

# uname -a
FreeBSD  15.0-CURRENT FreeBSD 15.0-CURRENT #345
main-n250995-3750873316a1-dirty: Sat Jan  4 13:51:03 EST 2025
rtm@zika:/usr/obj/usr/rtm/symbsd/src/riscv.riscv64/sys/RTM riscv
# cc netlink12b.c
# ./a.out
panic: rt_tables_get_rnh_ptr: table out of bounds (1 < 1)
cpuid = 0
time = 1735920333
KDB: stack backtrace:
db_trace_self() at db_trace_self
db_trace_self_wrapper() at db_trace_self_wrapper+0x36
kdb_backtrace() at kdb_backtrace+0x2c
vpanic() at vpanic+0x16e
panic() at panic+0x26
rt_tables_get_rnh() at rt_tables_get_rnh+0x9a
nhop_get_nhop() at nhop_get_nhop+0x1e
finalize_nhop() at finalize_nhop+0xd4
rtnl_handle_newroute() at rtnl_handle_newroute+0x4a2
rtnl_handle_message() at rtnl_handle_message+0x12a
nl_taskqueue_handler() at nl_taskqueue_handler+0x49a
taskqueue_run_locked() at taskqueue_run_locked+0x158
taskqueue_thread_loop() at taskqueue_thread_loop+0xd4
fork_exit() at fork_exit+0x68
fork_trampoline() at fork_trampoline+0xa
KDB: enter: panic

-- 
You are receiving this mail because:
You are the assignee for the bug.

[Bug 283820] ixl multicast filter problems

2025-01-04 Thread bugzilla-noreply 
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=283820

Mark Linimon  changed:

   What|Removed |Added

 CC||pku...@freebsd.org
   Assignee|b...@freebsd.org|n...@freebsd.org
   Keywords||IntelNetworking

-- 
You are receiving this mail because:
You are the assignee for the bug.

[Bug 283848] rtnl_handle_newroute() incomplete check of attrs.rta_table

2025-01-04 Thread bugzilla-noreply 
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=283848

Mark Linimon  changed:

   What|Removed |Added

   Assignee|b...@freebsd.org|n...@freebsd.org

-- 
You are receiving this mail because:
You are the assignee for the bug.

[Bug 259839] rtadvctl unable to connect to different control socket of radvd

2025-01-04 Thread bugzilla-noreply 
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=259839

Kurt Jaeger  changed:

   What|Removed |Added

 CC||p...@freebsd.org

--- Comment #2 from Kurt Jaeger  ---
Can you check if the update to 2.20 fixed this ?

-- 
You are receiving this mail because:
You are the assignee for the bug.