From nobody@FreeBSD.org  Thu Oct  4 13:02:29 2001
Return-Path: <nobody@FreeBSD.org>
Received: from freefall.freebsd.org (freefall.FreeBSD.org [216.136.204.21])
	by hub.freebsd.org (Postfix) with ESMTP id 2BDBC37B40C
	for <freebsd-gnats-submit@FreeBSD.org>; Thu,  4 Oct 2001 13:02:29 -0700 (PDT)
Received: (from nobody@localhost)
	by freefall.freebsd.org (8.11.4/8.11.4) id f94K2Tf57302;
	Thu, 4 Oct 2001 13:02:29 -0700 (PDT)
	(envelope-from nobody)
Message-Id: <200110042002.f94K2Tf57302@freefall.freebsd.org>
Date: Thu, 4 Oct 2001 13:02:29 -0700 (PDT)
From: Paul Herman <pherman@frenchfries.net>
To: freebsd-gnats-submit@FreeBSD.org
Subject: routed dumps core
X-Send-Pr-Version: www-1.0

>Number:         31045
>Category:       bin
>Synopsis:       routed dumps core
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    bms
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Thu Oct 04 13:10:00 PDT 2001
>Closed-Date:    Wed Nov 26 18:04:04 PST 2003
>Last-Modified:  Wed Nov 26 18:04:04 PST 2003
>Originator:     Paul Herman
>Release:        FreeBSD 4.4-RELEASE alpha
>Organization:
>Environment:
FreeBSD arthur.sc.omation.com 4.4-RELEASE FreeBSD 4.4-RELEASE #0:
Wed Sep 19 17:24:50 PDT 2001 pherman@arthur.sc.omation.com:/usr/obj/usr/src/sys/
arthur  alpha
>Description:
        my routed dumps core when I do an rtquery on it's xl1
        interface.  My /etc/gateways:
          if=xl1 no_rip no_rdisc
          if=xl0 pm_rdisc

        routed is started as "routed -s" to force it to act like a 
        gateway.

        Here's the trace:

12:30:41{{ttyp0}root@arthur}/sbin//> gdb /sbin/routed /routed.core
GNU gdb 4.18
Copyright 1998 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you 
are
welcome to change it and/or distribute copies of it under certain conditions.
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB.  Type "show warranty" for details.
This GDB was configured as "alpha-unknown-freebsd"...
Core was generated by `routed'.
Program terminated with signal 11, Segmentation fault.
#0  0x1200088bc in supply (dst=0x120079b40, ifp=0x0, type=OUT_QUERY, flash=0,
    vers=2, passwd_ok=0) at /usr/src/sbin/routed/output.c:767
767             if (supplier && (def_metric = ifp->int_d_metric) != 0) {
(gdb) bt
#0  0x1200088bc in supply (dst=0x120079b40, ifp=0x0, type=OUT_QUERY, flash=0,
    vers=2, passwd_ok=0) at /usr/src/sbin/routed/output.c:767
(gdb) print ifp
$1 = (struct interface *) 0x0
(gdb) print *rt
$2 = {rt_nodes = {{rn_mklist = 0x0, rn_p = 0x0, rn_b = 0, rn_bmask = 0 '\000',
      rn_flags = 0 '\000', rn_u = {rn_leaf = {rn_Key = 0x0, rn_Mask = 0x0,
          rn_Dupedkey = 0x0}, rn_node = {rn_Off = 0, rn_L = 0x0,
          rn_R = 0x0}}}, {rn_mklist = 0x0, rn_p = 0x0, rn_b = 0,
      rn_bmask = 0 '\000', rn_flags = 0 '\000', rn_u = {rn_leaf = {
          rn_Key = 0x0, rn_Mask = 0x0, rn_Dupedkey = 0x0}, rn_node = {
          rn_Off = 0, rn_L = 0x0, rn_R = 0x0}}}}, rt_state = 0, rt_dst_sock = {
    sin_len = 0 '\000', sin_family = 0 '\000', sin_port = 0, sin_addr = {
      s_addr = 0}, sin_zero = "\000\000\000\000\000\000\000"}, rt_mask = 0,
  rt_spares = {{rts_ifp = 0x0, rts_gate = 0, rts_router = 0,
      rts_metric = 0 '\000', rts_tag = 0, rts_time = 0, rts_de_ag = 0}, {
      rts_ifp = 0x0, rts_gate = 0, rts_router = 0, rts_metric = 0 '\000',
      rts_tag = 0, rts_time = 0, rts_de_ag = 0}, {rts_ifp = 0x0, rts_gate = 0,
      rts_router = 0, rts_metric = 0 '\000', rts_tag = 0, rts_time = 0,
      rts_de_ag = 0}, {rts_ifp = 0x0, rts_gate = 0, rts_router = 0,
      rts_metric = 0 '\000', rts_tag = 0, rts_time = 0, rts_de_ag = 0}},
  rt_seqno = 0, rt_poison_metric = 0 '\000', rt_poison_time = 0}

Seems like "rtfind(dst->sin_addr.s_addr)" fails in the beginning of
supply() in output.c, and ifp is assigned a NULL pointer.

>How-To-Repeat:
        Do same setup as described at the beginning of "Description:"
        and do an rtquery from an external host.

>Fix:
        I suppose have supply() do some bounds checking and then fail
        accordingly, but I don't even know what supply() does, so
        wouldn't know how to do that.

        Other configuration info available upon request.
>Release-Note:
>Audit-Trail:
Responsible-Changed-From-To: freebsd-bugs->ru 
Responsible-Changed-By: kris 
Responsible-Changed-When: Thu Oct 4 22:54:14 PDT 2001 
Responsible-Changed-Why:  
Ruslan has been working on routed 

http://www.FreeBSD.org/cgi/query-pr.cgi?pr=31045 
Responsible-Changed-From-To: ru->freebsd-bugs 
Responsible-Changed-By: kris 
Responsible-Changed-When: Thu Oct 4 23:28:25 PDT 2001 
Responsible-Changed-Why:  
No he hasn't :-) 

http://www.FreeBSD.org/cgi/query-pr.cgi?pr=31045 
Responsible-Changed-From-To: freebsd-bugs->bms 
Responsible-Changed-By: bms 
Responsible-Changed-When: Tue 25 Nov 2003 09:08:03 PST 
Responsible-Changed-Why:  
I'm in hoover up network PRs mode. I'll look into this. 


http://www.freebsd.org/cgi/query-pr.cgi?pr=31045 
State-Changed-From-To: open->feedback 
State-Changed-By: bms 
State-Changed-When: Tue 25 Nov 2003 09:08:19 PST 
State-Changed-Why:  
Have you tried to reproduce the failure case with a more recent version 
of FreeBSD, e.g. 4.9-RELEASE? 

http://www.freebsd.org/cgi/query-pr.cgi?pr=31045 
State-Changed-From-To: feedback->closed 
State-Changed-By: bms 
State-Changed-When: Wed 26 Nov 2003 18:03:48 PST 
State-Changed-Why:  
Closed at submitter's request. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=31045 
>Unformatted:
