From brandt@fokus.gmd.de  Mon Sep 17 08:13:27 2001
Return-Path: <brandt@fokus.gmd.de>
Received: from mailhub.fokus.gmd.de (mailhub.fokus.gmd.de [193.174.154.14])
	by hub.freebsd.org (Postfix) with ESMTP id D48CE37B417
	for <FreeBSD-gnats-submit@freebsd.org>; Mon, 17 Sep 2001 08:13:26 -0700 (PDT)
Received: from fokus.gmd.de (beagle [193.175.132.100])
	by mailhub.fokus.gmd.de (8.8.8/8.8.8) with ESMTP id RAA04012
	for <FreeBSD-gnats-submit@freebsd.org>; Mon, 17 Sep 2001 17:13:25 +0200 (MET DST)
Received: (from hbb@localhost)
	by fokus.gmd.de (8.11.6/8.11.0) id f8HFDPP78343;
	Mon, 17 Sep 2001 17:13:25 +0200 (CEST)
	(envelope-from hbb)
Message-Id: <200109171513.f8HFDPP78343@fokus.gmd.de>
Date: Mon, 17 Sep 2001 17:13:25 +0200 (CEST)
From: brandt@fokus.gmd.de
Reply-To: brandt@fokus.gmd.de
To: FreeBSD-gnats-submit@freebsd.org
Subject: Failure to check for existence of interface in if_mib.c
X-Send-Pr-Version: 3.113

>Number:         30630
>Category:       kern
>Synopsis:       [if_mib] Failure to check for existence of interface in if_mib.c
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    freebsd-bugs
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Mon Sep 17 08:20:02 PDT 2001
>Closed-Date:    Tue Jan 20 01:00:41 UTC 2009
>Last-Modified:  Tue Jan 20 01:00:41 UTC 2009
>Originator:     Hartmut Brandt
>Release:        FreeBSD 5.0-CURRENT i386
>Organization:
Frauenhofer FOKUS
>Environment:
System: FreeBSD beagle.fokus.gmd.de 5.0-CURRENT FreeBSD 5.0-CURRENT #0: Wed Sep 5 12:10:46 CEST 2001 hbb@beagle.fokus.gmd.de:/opt/obj/usr/src/sys/BEAGLE i386


	
>Description:

if_mib.c:sysctl_ifdata fails to check whether the accessed interface really
exists.

The problem is, that since the advent of loadable modules the interface
index name space may be sparse. Before loadable modules one was sure that
all interfaces between 1 and if_index really exists so the check

   if (name[0] <= 0 || name[0] > if_index)

was ok. Now it is possible to unload interface drivers so that interfaces
between 1 and if_index may disappear. ifaddr_byindex(IDX) will return NULL
in this case which in turn leads to a kernel panic.

There may be other places in the kernel that also build on the old assumption.

	
>How-To-Repeat:

Put 2 network cards in your computer which need different drivers. Build
these drivers as loadable modules and reboot. Now configure the two interfaces.
Now unload the driver for the first interface and execute the test program
below:

# include "stdio.h"
# include "err.h"
# include "sys/types.h"
# include "sys/sysctl.h"
# include "sys/socket.h"
# include "net/if.h"
# include "net/if_mib.h"

int
main(int argc, char *argv[])
{
	int name[6];
	size_t len;

	name[0] = CTL_NET;
	name[1] = PF_LINK;
	name[2] = NETLINK_GENERIC;
	name[3] = IFMIB_IFDATA;
	name[4] = 4;
	name[5] = IFDATA_LINKSPECIFIC;

	if (sysctl(name, 6, NULL, &len, NULL, 0) < 0) {
		err(1, "sysctl failed");
		return (1);
	}
	return (0);
}

Watch the kernel panic.


	
>Fix:

Index: if_mib.c
===================================================================
RCS file: /usr/ncvs/src/sys/net/if_mib.c,v
retrieving revision 1.11
diff -r1.11 if_mib.c
86c86,87
< 	ifp = ifaddr_byindex(name[0])->ifa_ifp;
---
> 	if ((ifp = ifaddr_byindex(name[0])->ifa_ifp) == NULL)
> 		return (ENOENT);
	


>Release-Note:
>Audit-Trail:
Responsible-Changed-From-To: freebsd-bugs->fenner 
Responsible-Changed-By: fenner 
Responsible-Changed-When: Wed Oct 17 08:03:05 PDT 2001 
Responsible-Changed-Why:  
I fixed if_mib.c; leaving the PR open to remind me to look for others. 

http://www.FreeBSD.org/cgi/query-pr.cgi?pr=30630 
State-Changed-From-To: open->suspended 
State-Changed-By: linimon 
State-Changed-When: Sun Nov 13 07:42:08 GMT 2005 
State-Changed-Why:  
The orginal failure was fixed but the same bad code might lurk elsewhere. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=30630 

From: Ruslan Ermilov <ru@FreeBSD.org>
To: bug-followup@FreeBSD.org
Cc:  
Subject: Re: kern/30630: [if_mib] Failure to check for existence of interface in if_mib.c
Date: Thu, 24 Nov 2005 11:27:41 +0200

 At least there shouldn't be any problems with ifaddr_byindex()
 because there's only one user of it now exists in the tree, and
 it's working right.
 
 
 Cheers,
 -- 
 Ruslan Ermilov
 ru@FreeBSD.org
 FreeBSD committer
Responsible-Changed-From-To: fenner->freebsd-bugs 
Responsible-Changed-By: linimon 
Responsible-Changed-When: Sun Sep 28 23:02:46 UTC 2008 
Responsible-Changed-Why:  
fenner has handed in his commit bit. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=30630 
State-Changed-From-To: suspended->closed 
State-Changed-By: linimon 
State-Changed-When: Tue Jan 20 00:59:16 UTC 2009 
State-Changed-Why:  
ru@ claimed this had been fixed long ago. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=30630 
>Unformatted:
