Bug 283970 - netpfil/ipfw: Fix wrong indent number to dump ctl3_handlers
Summary: netpfil/ipfw: Fix wrong indent number to dump ctl3_handlers
Status: Closed FIXED
Alias: None
Product: Base System
Classification: Unclassified
Component: kern (show other bugs)
Version: Unspecified
Hardware: Any Any
: --- Affects Only Me
Assignee: Andrey V. Elsukov
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2025-01-10 07:12 UTC by nakayamakenjiro
Modified: 2025-03-13 10:24 UTC (History)
3 users (show)

See Also:

Attachments
ip_fw_sockopt.patch (533 bytes, patch)
2025-01-10 07:12 UTC, nakayamakenjiro 		no flags Details | Diff
Patch to remove dump_soptcodes (3.95 KB, patch)
2025-01-16 03:43 UTC, nakayamakenjiro 		no flags Details | Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description nakayamakenjiro 2025-01-10 07:12:57 UTC 
Created attachment 256593 [details]
ip_fw_sockopt.patch

ctl3_handlers

dump_soptcodes() accesses to ctl3_handlers with a wrong indent:


```
        for (n = 1; n <= count; n++) {
                ... omit ...
                sh = &ctl3_handlers[n];  # when "n == count" out of bounds.
```

Here is the observation on FreeBSD 14.0 with kgdb:

---
1. proceed steps in dump_soptcodes() by the problem code.

```
(kgdb) frame
#0 dump_soptcodes (chain=<optimized out>, op3=<optimized out>, sd=0xfffffe007325eb58) at /usr/src/sys/netpfil/ipfw/ip_fw_sockopt.c:3137 3137 for (n = 1; n <= count; n++){code}
```

2. print the value in "count", which is 29.

```
(kgdb) print count
$24 = 29
```

3. From ctl3_handlers[0] to ctl3_handlers[28] contains values but ctl3_handlers[29] is empty.

```
(kgdb) print ctl3_handlers[0]@30
$26 = {{opcode = 86, version = 0 '\000', dir = 3 '\003', handler = 0xffffffff82e3a010 <manage_table_ent_v0>, refcnt = 0}, {opcode = 86, version = 1 '\001',
    dir = 3 '\003', handler = 0xffffffff82e3a120 <manage_table_ent_v1>, refcnt = 0}, {opcode = 87, version = 0 '\000', dir = 3 '\003',
    handler = 0xffffffff82e3a010 <manage_table_ent_v0>, refcnt = 0}, {opcode = 87, version = 1 '\001', dir = 3 '\003', handler = 0xffffffff82e3a120 <manage_table_ent_v1>,
    refcnt = 0}, {opcode = 88, version = 0 '\000', dir = 2 '\002', handler = 0xffffffff82e3ac10 <get_table_size>, refcnt = 0}, {opcode = 89, version = 0 '\000',
    dir = 2 '\002', handler = 0xffffffff82e39c80 <dump_table_v0>, refcnt = 0}, {opcode = 89, version = 1 '\001', dir = 2 '\002',
    handler = 0xffffffff82e39e80 <dump_table_v1>, refcnt = 0}, {opcode = 90, version = 0 '\000', dir = 1 '\001', handler = 0xffffffff82e395a0 <flush_table_v0>,
    refcnt = 0}, {opcode = 92, version = 0 '\000', dir = 2 '\002', handler = 0xffffffff82e39bb0 <list_tables>, refcnt = 0}, {opcode = 93, version = 0 '\000',
    dir = 2 '\002', handler = 0xffffffff82e39ac0 <describe_table>, refcnt = 0}, {opcode = 94, version = 0 '\000', dir = 1 '\001',
    handler = 0xffffffff82e395a0 <flush_table_v0>, refcnt = 0}, {opcode = 95, version = 0 '\000', dir = 1 '\001', handler = 0xffffffff82e39430 <create_table>,
    refcnt = 0}, {opcode = 96, version = 0 '\000', dir = 3 '\003', handler = 0xffffffff82e398a0 <modify_table>, refcnt = 0}, {opcode = 97, version = 0 '\000',
    dir = 2 '\002', handler = 0xffffffff82e31730 <dump_config>, refcnt = 0}, {opcode = 98, version = 0 '\000', dir = 3 '\003', handler = 0xffffffff82e320a0 <add_rules>,
    refcnt = 0}, {opcode = 99, version = 0 '\000', dir = 3 '\003', handler = 0xffffffff82e32640 <del_rules>, refcnt = 0}, {opcode = 100, version = 0 '\000',
    dir = 1 '\001', handler = 0xffffffff82e32af0 <move_rules>, refcnt = 0}, {opcode = 101, version = 0 '\000', dir = 1 '\001', handler = 0xffffffff82e327a0 <clear_rules>,
    refcnt = 0}, {opcode = 102, version = 0 '\000', dir = 1 '\001', handler = 0xffffffff82e327a0 <clear_rules>, refcnt = 0}, {opcode = 103, version = 0 '\000',
    dir = 1 '\001', handler = 0xffffffff82e32c30 <manage_sets>, refcnt = 0}, {opcode = 104, version = 0 '\000', dir = 1 '\001',
    handler = 0xffffffff82e32c30 <manage_sets>, refcnt = 0}, {opcode = 105, version = 0 '\000', dir = 1 '\001', handler = 0xffffffff82e32c30 <manage_sets>, refcnt = 0}, {
    opcode = 106, version = 0 '\000', dir = 2 '\002', handler = 0xffffffff82e3a3b0 <find_table_entry>, refcnt = 0}, {opcode = 107, version = 0 '\000', dir = 2 '\002',
    handler = 0xffffffff82e3fbd0 <list_ifaces>, refcnt = 0}, {opcode = 108, version = 0 '\000', dir = 2 '\002', handler = 0xffffffff82e3aaf0 <list_table_algo>,
    refcnt = 0}, {opcode = 109, version = 0 '\000', dir = 1 '\001', handler = 0xffffffff82e3a510 <swap_table>, refcnt = 0}, {opcode = 110, version = 0 '\000',
    dir = 2 '\002', handler = 0xffffffff82e40f10 <list_table_values>, refcnt = 0}, {opcode = 116, version = 0 '\000', dir = 2 '\002',
    handler = 0xffffffff82e32e80 <dump_soptcodes>, refcnt = 1}, {opcode = 117, version = 0 '\000', dir = 2 '\002', handler = 0xffffffff82e330a0 <dump_srvobjects>,
    refcnt = 0}, {opcode = 0, version = 0 '\000', dir = 0 '\000', handler = 0x0, refcnt = 0}}

(kgdb) print ctl3_handlers[0]
$28 = {opcode = 86, version = 0 '\000', dir = 3 '\003', handler = 0xffffffff82e3a010 <manage_table_ent_v0>, refcnt = 0}

(kgdb) print ctl3_handlers[28]
$29 = {opcode = 117, version = 0 '\000', dir = 2 '\002', handler = 0xffffffff82e330a0 <dump_srvobjects>, refcnt = 0}

(kgdb) print ctl3_handlers[29]
$30 = {opcode = 0, version = 0 '\000', dir = 0 '\000', handler = 0x0, refcnt = 0}
```

---
Comment 1 Andrey V. Elsukov freebsd_committer freebsd_triage 2025-01-13 08:56:10 UTC 
I think it will be better to just remove this handler. It is unused in the tree and the information that it provides doesn't look useful.
Comment 2 nakayamakenjiro 2025-01-14 01:53:44 UTC 
(In reply to Andrey V. Elsukov from comment #1)

Do you mean that it is better to remove dump_soptcodes()? 
It was added to  determine which opcodes are available in kernel as per this commit - https://github.com/freebsd/freebsd-src/commit/be8bc45790ca1b4a7f009585c636ccda52643503#diff-071d7133f897a08ba7a53a42e141a3dc3e774fc93521204560694cc235c0168eR2331 but I have no objections.
I will update the patch if there are no objections in the next couple of days.
Comment 3 Andrey V. Elsukov freebsd_committer freebsd_triage 2025-01-14 07:37:27 UTC 
(In reply to nakayamakenjiro from comment #2)
Yes, I know, but I'm not sure how it is useful. Probably only for debugging purposes.
Comment 4 nakayamakenjiro 2025-01-16 03:43:57 UTC 
Created attachment 256727 [details]
Patch to remove dump_soptcodes

I attached the updated patch which removes dump_soptcodes().
Comment 5 commit-hook freebsd_committer freebsd_triage 2025-03-05 09:33:56 UTC 
A commit in branch main references this bug:

URL: https://cgit.FreeBSD.org/src/commit/?id=b405250c77e6841a8159a4081d4e0f61e49dfbf8

commit b405250c77e6841a8159a4081d4e0f61e49dfbf8
Author:     Andrey V. Elsukov <ae@FreeBSD.org>
AuthorDate: 2025-03-05 09:29:22 +0000
Commit:     Andrey V. Elsukov <ae@FreeBSD.org>
CommitDate: 2025-03-05 09:29:22 +0000

    ipfw: fix dump_soptcodes() handler

    Use correct indent number to dump registered socket options.
    It is not currently in use but can be used for debugging.

    PR:             283970
    MFC after:      1 week

 sys/netpfil/ipfw/ip_fw_sockopt.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)
Comment 6 commit-hook freebsd_committer freebsd_triage 2025-03-13 10:18:38 UTC 
A commit in branch stable/14 references this bug:

URL: https://cgit.FreeBSD.org/src/commit/?id=83c23b6c66303157f1bc9f06438b61d70088d849

commit 83c23b6c66303157f1bc9f06438b61d70088d849
Author:     Andrey V. Elsukov <ae@FreeBSD.org>
AuthorDate: 2025-03-05 09:29:22 +0000
Commit:     Andrey V. Elsukov <ae@FreeBSD.org>
CommitDate: 2025-03-13 10:17:37 +0000

    ipfw: fix dump_soptcodes() handler

    Use correct indent number to dump registered socket options.
    It is not currently in use but can be used for debugging.

    PR:             283970

    (cherry picked from commit b405250c77e6841a8159a4081d4e0f61e49dfbf8)

 sys/netpfil/ipfw/ip_fw_sockopt.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)
Comment 7 commit-hook freebsd_committer freebsd_triage 2025-03-13 10:19:39 UTC 
A commit in branch stable/13 references this bug:

URL: https://cgit.FreeBSD.org/src/commit/?id=f1929835f76d587804c417f19188f41b77e8e7c6

commit f1929835f76d587804c417f19188f41b77e8e7c6
Author:     Andrey V. Elsukov <ae@FreeBSD.org>
AuthorDate: 2025-03-05 09:29:22 +0000
Commit:     Andrey V. Elsukov <ae@FreeBSD.org>
CommitDate: 2025-03-13 10:18:44 +0000

    ipfw: fix dump_soptcodes() handler

    Use correct indent number to dump registered socket options.
    It is not currently in use but can be used for debugging.

    PR:             283970

    (cherry picked from commit b405250c77e6841a8159a4081d4e0f61e49dfbf8)

 sys/netpfil/ipfw/ip_fw_sockopt.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)