Bug 92091
| Summary: | [netinet] [patch] IP address hash corruption bug | ||||||
|---|---|---|---|---|---|---|---|
| Product: | Base System | Reporter: | Seth Kingsley <sethk> | ||||
| Component: | kern | Assignee: | Andre Oppermann <andre> | ||||
| Status: | Closed FIXED | ||||||
| Severity: | Affects Only Me | ||||||
| Priority: | Normal | ||||||
| Version: | 5.4-RELEASE | ||||||
| Hardware: | Any | ||||||
| OS: | Any | ||||||
| Attachments: |
|
||||||
State Changed From-To: open->patched The fix has been committed in rev. 1.93 of in.c. Responsible Changed From-To: freebsd-bugs->andre State Changed From-To: patched->closed Fixed in HEAD and RELENG_6. Thanks for the submission! |
You can cause a panic (page fault) by supplying a non AF_INET address as parameter to SIOCSIFADDR. The command will fail, removing the temporary address from the IP hash, which it was never added to. Fix: Only remove the temporary in_ifaddr structure from the hash if it is actually an AF_INET address: How-To-Repeat: #include <sys/types.h> #include <sys/socket.h> #include <sys/sockio.h> #include <net/if.h> #include <netinet/in.h> #include <stdio.h> #include <sysexits.h> #include <err.h> int main(int ac, char *av[]) { const char *ifname; int sfd; struct ifreq ifr; register int i; if (ac != 2) { fprintf(stderr, "usage: %s <ifname>\n", getprogname()); return EX_USAGE; } if ((sfd = socket(PF_INET, SOCK_DGRAM, 0)) == -1) err(EX_OSERR, "create socket"); bzero(&ifr, sizeof(ifr)); strlcpy(ifr.ifr_name, av[1], sizeof(ifr.ifr_name)); ifr.ifr_addr.sa_len = 0; ifr.ifr_addr.sa_family = AF_MAX; for (i = 0; i < 2; ++i) if (ioctl(sfd, SIOCSIFADDR, &ifr) == -1) err(EX_OSERR, "SIOCSIFADDR"); close(sfd); return EX_OK; }