From mclay@locutus.weareb.org  Thu Aug 22 06:49:26 1996
Received: from locutus.weareb.org (locutus.weareb.org [204.177.169.98])
          by freefall.freebsd.org (8.7.5/8.7.3) with ESMTP id GAA15585
          for <FreeBSD-gnats-submit@freebsd.org>; Thu, 22 Aug 1996 06:49:24 -0700 (PDT)
Received: (from mclay@localhost) by locutus.weareb.org (8.7.4/8.7.4) id IAA03462; Thu, 22 Aug 1996 08:49:29 -0500 (CDT)
Message-Id: <199608221349.IAA03462@locutus.weareb.org>
Date: Thu, 22 Aug 1996 08:49:29 -0500 (CDT)
From: Michael Clay <mclay@weareb.org>
Reply-To: mclay@weareb.org
To: FreeBSD-gnats-submit@freebsd.org
Subject: Crash from bug in rtrequest() (sys/net/route.c)
X-Send-Pr-Version: 3.2

>Number:         1532
>Category:       kern
>Synopsis:       Crash from bug in rtrequest() (sys/net/route.c)
>Confidential:   no
>Severity:       non-critical
>Priority:       medium
>Responsible:    freebsd-bugs
>State:          closed
>Quarter:
>Keywords:
>Date-Required:
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Thu Aug 22 06:50:01 PDT 1996
>Closed-Date:    Fri Aug 23 20:11:19 PDT 1996
>Last-Modified:  Fri Aug 23 20:12:07 PDT 1996
>Originator:     Michael Clay
>Release:        FreeBSD 2.1-STABLE i386
>Organization:
None
>Environment:

	Occurs when adding routes with no netmask info.

>Description:

	When adding a non-host route and not specifying the netmask
	information for that route, the rn_walktree_from() code will
	attempt to dereference the null pointer for the netmask and
	the system will crash.  This is not seen in the AF_INET
	address family, since the code always adds a netmask.

>How-To-Repeat:

	The only two address families I have been working with have
	been AF_INET and AF_INET6, the latter being the one with which
	I was seeing the crash.  The mods for the AF_INET6 family are
	available from ftp://ftp.inria.fr/network/ipv6/ as part of the
	IP Version 6 enablement effort.  With these mods, one can
	crash the machine with the command:

	    route add -inet6 ::2 ::1

	I am sure that the machine can be crashed without them using
	a different address family, but I am not familiar enough with
	those families to produce a proper configuration.

>Fix:
	
	Take a look at the code for rtrequest() in sys/net/route.c, near
	the bottom (line 511 from the 2.1.0 source base).  There is an 'if'
	statement that calls the routine rnh->rnh_walktree_from().  The 'if'
	makes sure that the RTF_HOST bit is not set.  If you take a look at
	all of the other calls to rnh_walktree_from(), you will see that a
	check is also being made to make sure that the netmask is non-NULL.
	The context diff for the fix is included here:

	*** route.c-new Wed Aug 21 21:39:52 1996
	--- route.c-orig        Wed Aug 21 21:39:05 1996
	***************
	*** 508,514 ****
			 * it doesn't fire when we call it there because the node
			 * hasn't been added to the tree yet.
			 */
	!               if (!(rt->rt_flags & RTF_HOST) && rt_mask(rt) != 0) {
				struct rtfc_arg arg;
				arg.rnh = rnh;
				arg.rt0 = rt;
	--- 508,514 ----
			 * it doesn't fire when we call it there because the node
			 * hasn't been added to the tree yet.
			 */
	!               if (!(rt->rt_flags & RTF_HOST)) {
				struct rtfc_arg arg;
				arg.rnh = rnh;
				arg.rt0 = rt;


>Release-Note:
>Audit-Trail:
State-Changed-From-To: open->closed 
State-Changed-By: peter 
State-Changed-When: Fri Aug 23 20:11:19 PDT 1996 
State-Changed-Why:  
Suggested fix applied, rev 1.35 of route.c 
>Unformatted:
