From Tor.Egge@idt.ntnu.no  Sun May 18 06:08:56 1997
Received: from skarven.itea.ntnu.no (tegge@skarven.itea.ntnu.no [129.241.190.13])
          by hub.freebsd.org (8.8.5/8.8.5) with ESMTP id GAA27567
          for <FreeBSD-gnats-submit@freebsd.org>; Sun, 18 May 1997 06:08:55 -0700 (PDT)
Received: (from tegge@localhost)
	by skarven.itea.ntnu.no (8.8.5/8.8.5) id PAA00589;
	Sun, 18 May 1997 15:08:52 +0200 (CEST)
Message-Id: <199705181308.PAA00589@skarven.itea.ntnu.no>
Date: Sun, 18 May 1997 15:08:52 +0200 (CEST)
From: Tor Egge <Tor.Egge@idt.ntnu.no>
Reply-To: Tor.Egge@idt.ntnu.no
To: FreeBSD-gnats-submit@freebsd.org
Subject: getsockname and getpeername may cause trap 12
X-Send-Pr-Version: 3.2

>Number:         3618
>Category:       kern
>Synopsis:       getsockname and getpeername may cause trap 12
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    freebsd-bugs
>State:          closed
>Quarter:
>Keywords:
>Date-Required:
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Sun May 18 06:10:02 PDT 1997
>Closed-Date:    Sun May 18 17:20:05 1997
>Last-Modified:  Sun May 18 17:21:49 PDT 1997
>Originator:     Tor Egge
>Release:        FreeBSD 3.0-CURRENT i386
>Organization:
Norwegian University of Science and Technology, Trondheim, Norway
>Environment:

FreeBSD skarven.itea.ntnu.no 3.0-CURRENT FreeBSD 3.0-CURRENT #1: Sun May 18 14:41:28 CEST 1997     root@skarven.itea.ntnu.no:/usr/src/sys/compile/SKARVEN  i386

>Description:

During the getsockname() or getpeername() call, a network interrupt
might reset the connection, causing the socket to no longer have a pcb.
If this happens at the wrong time, the system gets a trap 12.

>How-To-Repeat:

Run an FTP server with tcp wrappers installed on the system.

Start a lot of connections to the ftp server, and close/reset
the connections from the client side as soon as the connection is established.

>Fix:

Disallow network interrupts while the address is found and copied.
Handle the case where the socket was disconnected before the network
interrupts were disabled.

Index: in_pcb.c
===================================================================
RCS file: /home/ncvs/src/sys/netinet/in_pcb.c,v
retrieving revision 1.31
diff -c -r1.31 in_pcb.c
*** in_pcb.c	1997/04/27 20:01:04	1.31
--- in_pcb.c	1997/05/18 12:50:35
***************
*** 470,478 ****
--- 470,483 ----
  	struct socket *so;
  	struct mbuf *nam;
  {
+ 	int s = splnet();
  	register struct inpcb *inp = sotoinpcb(so);
  	register struct sockaddr_in *sin;
  
+ 	if (!inp) {
+ 		splx(s);
+ 		return EINVAL;
+ 	}
  	nam->m_len = sizeof (*sin);
  	sin = mtod(nam, struct sockaddr_in *);
  	bzero((caddr_t)sin, sizeof (*sin));
***************
*** 480,485 ****
--- 485,491 ----
  	sin->sin_len = sizeof(*sin);
  	sin->sin_port = inp->inp_lport;
  	sin->sin_addr = inp->inp_laddr;
+ 	splx(s);
  	return 0;
  }
  
***************
*** 488,496 ****
--- 494,507 ----
  	struct socket *so;
  	struct mbuf *nam;
  {
+ 	int s = splnet();
  	struct inpcb *inp = sotoinpcb(so);
  	register struct sockaddr_in *sin;
  
+ 	if (!inp) {
+ 		splx(s);
+ 		return EINVAL;
+ 	}
  	nam->m_len = sizeof (*sin);
  	sin = mtod(nam, struct sockaddr_in *);
  	bzero((caddr_t)sin, sizeof (*sin));
***************
*** 498,503 ****
--- 509,515 ----
  	sin->sin_len = sizeof(*sin);
  	sin->sin_port = inp->inp_fport;
  	sin->sin_addr = inp->inp_faddr;
+ 	splx(s);
  	return 0;
  }
  
>Release-Note:
>Audit-Trail:

From: Garrett Wollman <wollman@khavrinen.lcs.mit.edu>
To: Tor.Egge@idt.ntnu.no
Cc: FreeBSD-gnats-submit@FreeBSD.ORG
Subject: kern/3618: getsockname and getpeername may cause trap 12
Date: Sun, 18 May 1997 15:08:57 -0400 (EDT)

 <<On Sun, 18 May 1997 15:08:52 +0200 (CEST), Tor Egge <Tor.Egge@idt.ntnu.no> said:
 
 > During the getsockname() or getpeername() call, a network interrupt
 > might reset the connection, causing the socket to no longer have a pcb.
 > If this happens at the wrong time, the system gets a trap 12.
 
 This fix looks OK.  You have commit privs...
 
 -GAWollman
 
 --
 Garrett A. Wollman   | O Siem / We are all family / O Siem / We're all the same
 wollman@lcs.mit.edu  | O Siem / The fires of freedom 
 Opinions not those of| Dance in the burning flame
 MIT, LCS, CRS, or NSA|                     - Susan Aglukark and Chad Irschick

State-Changed-From-To: open->closed
State-Changed-By: tegge
State-Changed-When: Sun May 18 17:20:05 1997
State-Changed-Why:
Fixed in revision 1.32 of sys/netinet/in_pcb.c
>Unformatted:
