From nobody  Sun Jul  6 14:54:14 1997
Received: (from nobody@localhost)
          by hub.freebsd.org (8.8.5/8.8.5) id OAA07611;
          Sun, 6 Jul 1997 14:54:14 -0700 (PDT)
Message-Id: <199707062154.OAA07611@hub.freebsd.org>
Date: Sun, 6 Jul 1997 14:54:14 -0700 (PDT)
From: terzis@cs.ucla.edu
To: freebsd-gnats-submit@freebsd.org
Subject: kernel crashes when ip_output() is called with a NULL route argument
X-Send-Pr-Version: www-1.0

>Number:         4044
>Category:       kern
>Synopsis:       kernel crashes when ip_output() is called with a NULL route argument
>Confidential:   no
>Severity:       serious
>Priority:       low
>Responsible:    freebsd-bugs
>State:          closed
>Quarter:
>Keywords:
>Date-Required:
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Sun Jul  6 15:00:01 PDT 1997
>Closed-Date:    Sun Aug 17 11:58:17 PDT 1997
>Last-Modified:  Sun Aug 17 11:59:06 PDT 1997
>Originator:     Andreas Terzis
>Release:        2.2.2-RELEASE
>Organization:
UCLA computer Science Dept
>Environment:
FreeBSD pear.dnrc.bell-labs.com 2.2.2-RELEASE FreeBSD 2.2.2-RELEASE #1:
Thu Jul  3 19:08:37 EDT 1997     terzis@pear.dnrc.bell-labs.com:
/devel/MIP-kernel/sys/compile/RSVP+MIP-pear  i386

>Description:
When ip_output() in netinet/ip_output.c is called with a NULL route 
argument header the kernel crashes, because a test for a NULL argument
has been removed from this version of the code. You can find the test
in older versions of the sasme file or in the Stevens book
TCP/IP Illustrated Vol. II (page 230)

>How-To-Repeat:
try to hand a packet to ip_output for forwarding with a NULL route 
argument.
>Fix:
Include a test for NULL route header.
This is what I have done and it worked:

/*
 * IP output.  The packet in mbuf chain m contains a skeletal IP
 * header (with len, off, ttl, proto, tos, src, dst).
 * The mbuf chain containing the packet will be freed.
 * The mbuf opt, if present, will not be freed.
 */
int
ip_output(m0, opt, ro, flags, imo)
        struct mbuf *m0;
        struct mbuf *opt;
        struct route *ro;
        int flags;
        struct ip_moptions *imo;
{
        struct ip *ip, *mhip;
        struct ifnet *ifp;
        struct mbuf *m = m0;
        int hlen = sizeof (struct ip);
        int len, off, error = 0;
        struct sockaddr_in *dst;
        struct in_ifaddr *ia;
        int isbroadcast;
        struct route iproute; /* ADDED */

#ifdef  DIAGNOSTIC
        if ((m->m_flags & M_PKTHDR) == 0)
                panic("ip_output no HDR");
        if (!ro)
                panic("ip_output no route, proto = %d",
                      mtod(m, struct ip *)->ip_p);
#endif
        if (opt) {
                m = ip_insertoptions(m, opt, &len);
                hlen = len;
        }
        ip = mtod(m, struct ip *);
        /*
         * Fill in IP header.
         */
        if ((flags & (IP_FORWARDING|IP_RAWOUTPUT)) == 0) {
                ip->ip_vhl = IP_MAKE_VHL(IPVERSION, hlen >> 2); 
                ip->ip_off &= IP_DF;
                ip->ip_id = htons(ip_id++);
                ipstat.ips_localout++;
        } else {
                hlen = IP_VHL_HL(ip->ip_vhl) << 2;
        }


/* ADDED test for NULL ro argument */

        if (ro == 0) { 
                ro = &iproute;
                bzero ((caddr_t) ro, sizeof(*ro));
        }

>Release-Note:
>Audit-Trail:

From: Bill Fenner <fenner@parc.xerox.com>
To: owner-bugs@freebsd.org
Cc: freebsd-gnats-submit@freebsd.org, terzis@pear.dnrc.bell-labs.com,
        terzis@cs.ucla.edu
Subject: Re: kern/4044: kernel crashes when ip_output() is called with a NULL route argument 
Date: Sun, 6 Jul 1997 21:18:13 PDT

 Note, this message had a malformed From: header of "terzis@cs..ucla.edu".
 
 >a test for a NULL argument has been removed from this version of the code.
 
 This was a conscious decision.  It's now an error to hand a packet to
 ip_output with a NULL route argument.  Use a private cached route (see
 IGMP for an example).
 
   Bill

From: Bill Fenner <fenner@parc.xerox.com>
To: freebsd-gnats-submit@freebsd.org, terzis@cs.ucla.edu
Cc:  Subject: Re: kern/4044: kernel crashes when ip_output() is called with a NULL route argument
Date: Mon, 7 Jul 1997 00:20:10 PDT

 Two more things:
 
 1) It's a good idea to use "options DIAGNOSTIC" when writing network
 code; it enables extra checks, one of which is a "panic: no route".
 
 2) If you do any kind of packet/flow classification and have a data
 structure that might be associated with a single destination address,
 you should add a route to that data structure (like TCP and multicast
 tunnels do) and pass that to ip_output instead.
 
   Bill

From: Garrett Wollman <wollman@khavrinen.lcs.mit.edu>
To: terzis@cs..ucla.edu
Cc: freebsd-gnats-submit@FreeBSD.ORG
Subject: kern/4044: kernel crashes when ip_output() is called with a NULL route argument
Date: Mon, 7 Jul 1997 19:21:12 -0400 (EDT)

 <<On Sun, 6 Jul 1997 14:54:14 -0700 (PDT), terzis@cs..ucla.edu said:
 
 > When ip_output() in netinet/ip_output.c is called with a NULL route 
 > argument header the kernel crashes, because a test for a NULL argument
 > has been removed from this version of the code. 
 
 That is intentional.
 
 >> Fix:
 > Include a test for NULL route header.
 
 Correct fix: always give ip_output() a route.
 
 -GAWollman
 
 --
 Garrett A. Wollman   | O Siem / We are all family / O Siem / We're all the same
 wollman@lcs.mit.edu  | O Siem / The fires of freedom 
 Opinions not those of| Dance in the burning flame
 MIT, LCS, CRS, or NSA|                     - Susan Aglukark and Chad Irschick
State-Changed-From-To: open->closed 
State-Changed-By: fenner 
State-Changed-When: Sun Aug 17 11:58:17 PDT 1997 
State-Changed-Why:  
As described in the audit trail, this is not a bug. 
>Unformatted:
fenner removed extra . from From line Mon Jul  7 01:10:43 PDT 1997
Original was: From: terzis@cs..ucla.edu
