From venglin@freebsd.lublin.pl  Thu Nov 11 19:14:57 2010
Return-Path: <venglin@freebsd.lublin.pl>
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id A7A9E106564A
	for <FreeBSD-gnats-submit@freebsd.org>; Thu, 11 Nov 2010 19:14:57 +0000 (UTC)
	(envelope-from venglin@freebsd.lublin.pl)
Received: from lagoon.freebsd.lublin.pl (lagoon.freebsd.lublin.pl [IPv6:2001:1a68:2:2::3])
	by mx1.freebsd.org (Postfix) with ESMTP id 30D048FC12
	for <FreeBSD-gnats-submit@freebsd.org>; Thu, 11 Nov 2010 19:14:57 +0000 (UTC)
Received: by lagoon.freebsd.lublin.pl (Postfix, from userid 3000)
	id 7113A23944A; Thu, 11 Nov 2010 20:14:55 +0100 (CET)
Message-Id: <20101111191455.7113A23944A@lagoon.freebsd.lublin.pl>
Date: Thu, 11 Nov 2010 20:14:55 +0100 (CET)
From: Przemyslaw Frasunek <venglin@freebsd.lublin.pl>
Reply-To: Przemyslaw Frasunek <venglin@freebsd.lublin.pl>
To: FreeBSD-gnats-submit@freebsd.org
Cc:
Subject: [PATCH] rtadvd(8) null pointer dereference
X-Send-Pr-Version: 3.113
X-GNATS-Notify:

>Number:         152143
>Category:       bin
>Synopsis:       [PATCH] rtadvd(8) null pointer dereference
>Confidential:   no
>Severity:       non-critical
>Priority:       medium
>Responsible:    bz
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Thu Nov 11 19:20:09 UTC 2010
>Closed-Date:    Sat Apr 09 10:20:33 UTC 2011
>Last-Modified:  Sat Apr  9 10:30:14 UTC 2011
>Originator:     Przemyslaw Frasunek
>Release:        FreeBSD 7.3-RELEASE i386
>Organization:
Nette sp. z o.o.
>Environment:
	Generic 7.3-RELEASE
>Description:
	rtadvd(8) crashes sporadically on machines with large number
	of dynamically created network interfaces (ng, vlan, tap, ...).
	This is due to null pointer dereference caused by race
	condition, when the interface is being destroyed. See patch below.
>How-To-Repeat:
	See above.
>Fix:

--- rtadvd.c.old        2010-02-10 01:26:20.000000000 +0100
+++ rtadvd.c    2010-11-11 20:08:24.000000000 +0100
@@ -659,7 +659,7 @@
         * If we happen to receive data on an interface which is now
         * down,
         * just discard the data.
         */
-       if ((iflist[pi->ipi6_ifindex]->ifm_flags & IFF_UP) == 0) {
+       if ((iflist[pi->ipi6_ifindex] == NULL || iflist[pi->ipi6_ifindex]->ifm_flags & IFF_UP) == 0) {
                syslog(LOG_INFO,
                       "<%s> received data on a disabled interface
(%s)",
                       __func__,

>Release-Note:
>Audit-Trail:
Responsible-Changed-From-To: freebsd-bugs->bz 
Responsible-Changed-By: bz 
Responsible-Changed-When: Thu Nov 18 06:15:45 UTC 2010 
Responsible-Changed-Why:  
Take. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=152143 

From: "Bjoern A. Zeeb" <bz@FreeBSD.org>
To: bug-followup@FreeBSD.org, venglin@freebsd.lublin.pl
Cc:  
Subject: Re: bin/152143: [PATCH] rtadvd(8) null pointer dereference
Date: Thu, 18 Nov 2010 09:45:57 +0000 (UTC)

 Hi,
 
 I think you got the () wrong.  Can you test this patch and report
 back:
 
 http://people.freebsd.org/~bz/20101118-01-rtadvd-pr152143.diff
 
 /bz
 
 -- 
 Bjoern A. Zeeb                              Welcome a new stage of life.
          <ks> Going to jail sucks -- <bz> All my daemons like it!
    http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/jails.html
State-Changed-From-To: open->feedback 
State-Changed-By: bz 
State-Changed-When: Thu Nov 18 09:58:04 UTC 2010 
State-Changed-Why:  
An updated version of the patch has been provided for testing 
(and review). 

http://www.freebsd.org/cgi/query-pr.cgi?pr=152143 

From: Przemyslaw Frasunek <przemyslaw@frasunek.com>
To: "Bjoern A. Zeeb" <bz@FreeBSD.org>
Cc: bug-followup@FreeBSD.org
Subject: Re: bin/152143: [PATCH] rtadvd(8) null pointer dereference
Date: Tue, 22 Feb 2011 23:51:40 +0100

 > I think you got the () wrong.  Can you test this patch and report
 > back:
 > 
 > http://people.freebsd.org/~bz/20101118-01-rtadvd-pr152143.diff
 
 Hi,
 
 I can confirm, it works properly. Thanks!

From: dfilter@FreeBSD.ORG (dfilter service)
To: bug-followup@FreeBSD.org
Cc:  
Subject: Re: bin/152143: commit references a PR
Date: Wed,  2 Mar 2011 17:13:58 +0000 (UTC)

 Author: bz
 Date: Wed Mar  2 17:13:07 2011
 New Revision: 219184
 URL: http://svn.freebsd.org/changeset/base/219184
 
 Log:
   Prevent crashes from a race when (cloned) interfaces go away.
   
   PR:		bin/152143
   Submitted by:	Przemyslaw Frasunek (przemyslaw frasunek.com)
   Tested by:	Przemyslaw Frasunek (przemyslaw frasunek.com)
   MFC after:	1 week
 
 Modified:
   head/usr.sbin/rtadvd/rtadvd.c
 
 Modified: head/usr.sbin/rtadvd/rtadvd.c
 ==============================================================================
 --- head/usr.sbin/rtadvd/rtadvd.c	Wed Mar  2 16:16:09 2011	(r219183)
 +++ head/usr.sbin/rtadvd/rtadvd.c	Wed Mar  2 17:13:07 2011	(r219184)
 @@ -667,14 +667,16 @@ rtadvd_input()
  	}
  
  	/*
 -	 * If we happen to receive data on an interface which is now down,
 -	 * just discard the data.
 +	 * If we happen to receive data on an interface which is now gone
 +	 * or down, just discard the data.
  	 */
 -	if ((iflist[pi->ipi6_ifindex]->ifm_flags & IFF_UP) == 0) {
 +	if (iflist[pi->ipi6_ifindex] == NULL ||
 +	    (iflist[pi->ipi6_ifindex]->ifm_flags & IFF_UP) == 0) {
  		syslog(LOG_INFO,
  		       "<%s> received data on a disabled interface (%s)",
  		       __func__,
 -		       if_indextoname(pi->ipi6_ifindex, ifnamebuf));
 +		       (iflist[pi->ipi6_ifindex] == NULL) ? "[gone]" :
 +			    if_indextoname(pi->ipi6_ifindex, ifnamebuf));
  		return;
  	}
  
 _______________________________________________
 svn-src-all@freebsd.org mailing list
 http://lists.freebsd.org/mailman/listinfo/svn-src-all
 To unsubscribe, send any mail to "svn-src-all-unsubscribe@freebsd.org"
 
State-Changed-From-To: feedback->patched 
State-Changed-By: bz 
State-Changed-When: Wed Mar 2 17:29:00 UTC 2011 
State-Changed-Why:  
Change committed; MFC timer set. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=152143 
State-Changed-From-To: patched->closed 
State-Changed-By: bz 
State-Changed-When: Sat Apr 9 10:19:41 UTC 2011 
State-Changed-Why:  
The changes were merged to 7 and 8. 
Thanks a lot for the report. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=152143 

From: dfilter@FreeBSD.ORG (dfilter service)
To: bug-followup@FreeBSD.org
Cc:  
Subject: Re: bin/152143: commit references a PR
Date: Sat,  9 Apr 2011 10:19:00 +0000 (UTC)

 Author: bz
 Date: Sat Apr  9 10:18:46 2011
 New Revision: 220475
 URL: http://svn.freebsd.org/changeset/base/220475
 
 Log:
   MFC r219184:
   
     Prevent crashes from a race when (cloned) interfaces go away.
   
   PR:		bin/152143
     Submitted by:	Przemyslaw Frasunek (przemyslaw frasunek.com)
     Tested by:	Przemyslaw Frasunek (przemyslaw frasunek.com)
 
 Modified:
   stable/7/usr.sbin/rtadvd/rtadvd.c
 Directory Properties:
   stable/7/usr.sbin/rtadvd/   (props changed)
 
 Modified: stable/7/usr.sbin/rtadvd/rtadvd.c
 ==============================================================================
 --- stable/7/usr.sbin/rtadvd/rtadvd.c	Sat Apr  9 09:33:36 2011	(r220474)
 +++ stable/7/usr.sbin/rtadvd/rtadvd.c	Sat Apr  9 10:18:46 2011	(r220475)
 @@ -667,14 +667,16 @@ rtadvd_input()
  	}
  
  	/*
 -	 * If we happen to receive data on an interface which is now down,
 -	 * just discard the data.
 +	 * If we happen to receive data on an interface which is now gone
 +	 * or down, just discard the data.
  	 */
 -	if ((iflist[pi->ipi6_ifindex]->ifm_flags & IFF_UP) == 0) {
 +	if (iflist[pi->ipi6_ifindex] == NULL ||
 +	    (iflist[pi->ipi6_ifindex]->ifm_flags & IFF_UP) == 0) {
  		syslog(LOG_INFO,
  		       "<%s> received data on a disabled interface (%s)",
  		       __func__,
 -		       if_indextoname(pi->ipi6_ifindex, ifnamebuf));
 +		       (iflist[pi->ipi6_ifindex] == NULL) ? "[gone]" :
 +			    if_indextoname(pi->ipi6_ifindex, ifnamebuf));
  		return;
  	}
  
 _______________________________________________
 svn-src-all@freebsd.org mailing list
 http://lists.freebsd.org/mailman/listinfo/svn-src-all
 To unsubscribe, send any mail to "svn-src-all-unsubscribe@freebsd.org"
 

From: dfilter@FreeBSD.ORG (dfilter service)
To: bug-followup@FreeBSD.org
Cc:  
Subject: Re: bin/152143: commit references a PR
Date: Sat,  9 Apr 2011 10:19:37 +0000 (UTC)

 Author: bz
 Date: Sat Apr  9 10:19:25 2011
 New Revision: 220476
 URL: http://svn.freebsd.org/changeset/base/220476
 
 Log:
   MFC r219184:
   
     Prevent crashes from a race when (cloned) interfaces go away.
   
   PR:             bin/152143
     Submitted by: Przemyslaw Frasunek (przemyslaw frasunek.com)
     Tested by:    Przemyslaw Frasunek (przemyslaw frasunek.com)
 
 Modified:
   stable/8/usr.sbin/rtadvd/rtadvd.c
 Directory Properties:
   stable/8/usr.sbin/rtadvd/   (props changed)
 
 Modified: stable/8/usr.sbin/rtadvd/rtadvd.c
 ==============================================================================
 --- stable/8/usr.sbin/rtadvd/rtadvd.c	Sat Apr  9 10:18:46 2011	(r220475)
 +++ stable/8/usr.sbin/rtadvd/rtadvd.c	Sat Apr  9 10:19:25 2011	(r220476)
 @@ -667,14 +667,16 @@ rtadvd_input()
  	}
  
  	/*
 -	 * If we happen to receive data on an interface which is now down,
 -	 * just discard the data.
 +	 * If we happen to receive data on an interface which is now gone
 +	 * or down, just discard the data.
  	 */
 -	if ((iflist[pi->ipi6_ifindex]->ifm_flags & IFF_UP) == 0) {
 +	if (iflist[pi->ipi6_ifindex] == NULL ||
 +	    (iflist[pi->ipi6_ifindex]->ifm_flags & IFF_UP) == 0) {
  		syslog(LOG_INFO,
  		       "<%s> received data on a disabled interface (%s)",
  		       __func__,
 -		       if_indextoname(pi->ipi6_ifindex, ifnamebuf));
 +		       (iflist[pi->ipi6_ifindex] == NULL) ? "[gone]" :
 +			    if_indextoname(pi->ipi6_ifindex, ifnamebuf));
  		return;
  	}
  
 _______________________________________________
 svn-src-all@freebsd.org mailing list
 http://lists.freebsd.org/mailman/listinfo/svn-src-all
 To unsubscribe, send any mail to "svn-src-all-unsubscribe@freebsd.org"
 
>Unformatted:
