From demond@demond.dyn.dhs.org  Fri Jun 30 08:39:07 2000
Return-Path: <demond@demond.dyn.dhs.org>
Received: from demond.dyn.dhs.org (HSE-Toronto-ppp116949.sympatico.ca [216.209.82.6])
	by hub.freebsd.org (Postfix) with ESMTP id 2879D37BB7B
	for <FreeBSD-gnats-submit@freebsd.org>; Fri, 30 Jun 2000 08:39:06 -0700 (PDT)
	(envelope-from demond@demond.dyn.dhs.org)
Received: (from demond@localhost)
	by demond.dyn.dhs.org (8.9.3/8.9.3) id LAA15329;
	Fri, 30 Jun 2000 11:40:43 -0400 (EDT)
	(envelope-from demond)
Message-Id: <200006301540.LAA15329@demond.dyn.dhs.org>
Date: Fri, 30 Jun 2000 11:40:43 -0400 (EDT)
From: demond@demond.dyn.dhs.org
Reply-To: demond@demond.dyn.dhs.org
To: FreeBSD-gnats-submit@freebsd.org
Subject: FreeBSD 4.0-RELEASE panics on incorrect use of ioctl()
X-Send-Pr-Version: 3.2

>Number:         19605
>Category:       kern
>Synopsis:       FreeBSD 4.0-RELEASE panics on incorrect use of ioctl()
>Confidential:   no
>Severity:       critical
>Priority:       high
>Responsible:    freebsd-bugs
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Fri Jun 30 08:40:01 PDT 2000
>Closed-Date:    Sun Jul 2 16:46:08 PDT 2000
>Last-Modified:  Sun Jul 02 16:47:52 PDT 2000
>Originator:     Lubomir Radev <demond@gmx.net>
>Release:        FreeBSD 4.0-RELEASE i386
>Organization:
>Environment:

	FreeBSD 4.0-RELEASE i386

>Description:

	I tested this on several 4.0-RELEASE boxes (as unprivileged user):

	#include <sys/types.h>
        #include <sys/ioctl.h>
        #include <sys/socket.h>
        #include <net/if.h>
        main() {
          struct ifconf ifc;
          int sd = socket(PF_INET, SOCK_DGRAM, 0);
          ioctl(sd, SIOCGIFCONF, (char *)&ifc);
        }

	The result: kernel panic & reboot.
	
	Other FreeBSD versions don't seem to be affected.

>How-To-Repeat:

	See above.

>Fix:

	Wish I had time to investigate... The problem is obviously 
	caused by incorrect ioctl() use (not supplying proper buffer
	in ifconf struct). 

>Release-Note:
>Audit-Trail:
State-Changed-From-To: open->closed 
State-Changed-By: nectar 
State-Changed-When: Sun Jul 2 16:46:08 PDT 2000 
State-Changed-Why:  
This was fixed in rev 1.86 and rev 1.85.2.1 of sys/net/if.c. 
See also PR kern/17311. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=19605 
>Unformatted:
