From pavel@NetworkPhysics.COM  Mon Apr 10 16:13:48 2000
Return-Path: <pavel@NetworkPhysics.COM>
Received: from gto.networkphysics.com (DNS1.networkphysics.com [63.194.71.40])
	by hub.freebsd.org (Postfix) with ESMTP id 67EA937B764
	for <FreeBSD-gnats-submit@freebsd.org>; Mon, 10 Apr 2000 16:12:28 -0700 (PDT)
	(envelope-from pavel@NetworkPhysics.COM)
Received: from cyclone.networkphysics.com (cyclone.networkphysics.com [10.1.0.46])
	by gto.networkphysics.com (8.9.3/8.9.3) with ESMTP id PAA34294
	for <FreeBSD-gnats-submit@freebsd.org>; Mon, 10 Apr 2000 15:49:22 -0700 (PDT)
	(envelope-from pavel@NetworkPhysics.COM)
Received: (from pavel@localhost)
	by cyclone.networkphysics.com (8.9.3/8.9.3) id PAA00657;
	Mon, 10 Apr 2000 15:49:22 -0700 (PDT)
	(envelope-from pavel@NetworkPhysics.COM)
Message-Id: <200004102249.PAA00657@cyclone.networkphysics.com>
Date: Mon, 10 Apr 2000 15:49:22 -0700 (PDT)
From: Tom Pavel <pavel@NetworkPhysics.COM>
Reply-To: pavel@alum.mit.edu
To: FreeBSD-gnats-submit@freebsd.org
Subject: unitialized var in netgraph msg code
X-Send-Pr-Version: 3.2

>Number:         17911
>Category:       kern
>Synopsis:       unitialized var in netgraph msg code
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    archie
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Mon Apr 10 16:20:01 PDT 2000
>Closed-Date:    Wed Apr 12 10:32:22 PDT 2000
>Last-Modified:  Wed Apr 12 10:32:43 PDT 2000
>Originator:     Tom Pavel
>Release:        FreeBSD 3.4-RELEASE i386
>Organization:
Network Physics, Inc.
>Environment:

	Netgraph code in 3.4 or 3-STABLE (same bug in current).  

	Using:
        $FreeBSD: src/sys/netgraph/ng_base.c,v 1.6.2.9 1999/12/08 19:44:03 julian Exp $

	running on i386:
	cyclone[44]% uname -a
	FreeBSD cyclone.networkphysics.com 3.4-RELEASE FreeBSD 3.4-RELEASE #7: Mon Apr 10 12:03:55 PDT 2000     root@cyclone.networkphysics.com:/usr/src/sys/compile/NGTEST  i386


>Description:

	The "off" variable in the NGM_ASCII2BINARY case of
	ng_generic_msg() is unitialized.  This can lead to a kernel
	panic in strtol() (from e.g. ng_int32_parse()) if the variable
	happens to be initialized to a (nonzero) nonsensical value.

>How-To-Repeat:

	Hook up some netgraph modules, send a bunch of ngctl msg
	commands with numeric arguments, and wait for the kernel stack
	to churn a bit.

>Fix:
	
--- /sys/netgraph/ng_base.c     Wed Dec  8 11:44:03 1999
+++ ng_base.c   Mon Apr 10 12:03:19 2000
@@ -1519,7 +1519,7 @@
                const struct ng_cmdlist *c;
                const struct ng_parse_type *argstype;
                struct ng_mesg *rp, *ascii, *binary;
-               int off;
+               int off = 0;
 
                /* Data area must contain at least a struct ng_mesg + '\0' */
                ascii = (struct ng_mesg *)msg->data;


Tom Pavel

Network Physics
pavel@networkphysics.com / pavel@alum.mit.edu 

>Release-Note:
>Audit-Trail:
Responsible-Changed-From-To: freebsd-bugs->archie 
Responsible-Changed-By: sheldonh 
Responsible-Changed-When: Tue Apr 11 06:08:06 PDT 2000 
Responsible-Changed-Why:  
Over to the currently active netgraph person. :-) 
State-Changed-From-To: open->closed 
State-Changed-By: archie 
State-Changed-When: Wed Apr 12 10:32:22 PDT 2000 
State-Changed-Why:  
Patch applied in -current, RELENG_4, and RELENG_3 
Thanks!! 
>Unformatted:
