From sethk@magnesium.net  Sat Jan 21 10:29:00 2006
Return-Path: <sethk@magnesium.net>
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 66EB016A41F
	for <FreeBSD-gnats-submit@freebsd.org>; Sat, 21 Jan 2006 10:29:00 +0000 (GMT)
	(envelope-from sethk@magnesium.net)
Received: from toxic.magnesium.net (toxic.magnesium.net [207.154.84.15])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 3DB8C43D45
	for <FreeBSD-gnats-submit@freebsd.org>; Sat, 21 Jan 2006 10:29:00 +0000 (GMT)
	(envelope-from sethk@magnesium.net)
Received: by toxic.magnesium.net (Postfix, from userid 1165)
	id 05CC3DA8C0; Sat, 21 Jan 2006 02:29:00 -0800 (PST)
Message-Id: <20060121102900.05CC3DA8C0@toxic.magnesium.net>
Date: Sat, 21 Jan 2006 02:29:00 -0800 (PST)
From: Seth Kingsley <sethk@meowfishies.com>
Reply-To: Seth Kingsley <sethk@meowfishies.com>
To: FreeBSD-gnats-submit@freebsd.org
Cc:
Subject: [patch] IP address hash corruption bug
X-Send-Pr-Version: 3.113
X-GNATS-Notify:

>Number:         92091
>Category:       kern
>Synopsis:       [netinet] [patch] IP address hash corruption bug
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    andre
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Sat Jan 21 10:30:03 GMT 2006
>Closed-Date:    Fri Apr 14 16:03:21 GMT 2006
>Last-Modified:  Fri Apr 14 16:03:21 GMT 2006
>Originator:     Seth Kingsley
>Release:        FreeBSD 5.4-RELEASE i386
>Organization:
>Environment:
System: FreeBSD neko.home.meowfishies.com 5.4-RELEASE FreeBSD 5.4-RELEASE #1:
Sat Jan 14 22:37:52 UTC 2006
sethk@neko.home.meowfishies.com:/usr/src/sys/i386/compile/GENERIC  i386

>Description:
	You can cause a panic (page fault) by supplying a non AF_INET address
	as parameter to SIOCSIFADDR.  The command will fail, removing the
	temporary address from the IP hash, which it was never added to.

>How-To-Repeat:

#include    <sys/types.h>
#include    <sys/socket.h>
#include    <sys/sockio.h>
#include    <net/if.h>
#include    <netinet/in.h>

#include    <stdio.h>
#include    <sysexits.h>
#include    <err.h>

int
main(int ac, char *av[])
{
    const char *ifname;
    int sfd;
    struct ifreq ifr;
    register int i;

    if (ac != 2)
    {
	fprintf(stderr, "usage: %s <ifname>\n", getprogname());
	return EX_USAGE;
    }

    if ((sfd = socket(PF_INET, SOCK_DGRAM, 0)) == -1)
	err(EX_OSERR, "create socket");

    bzero(&ifr, sizeof(ifr));
    strlcpy(ifr.ifr_name, av[1], sizeof(ifr.ifr_name));
    ifr.ifr_addr.sa_len = 0;
    ifr.ifr_addr.sa_family = AF_MAX;
    for (i = 0; i < 2; ++i)
	if (ioctl(sfd, SIOCSIFADDR, &ifr) == -1)
	    err(EX_OSERR, "SIOCSIFADDR");

    close(sfd);

    return EX_OK;
}

>Fix:
	Only remove the temporary in_ifaddr structure from the hash if it is
	actually an AF_INET address:

--- /sys/netinet/in.c.orig	Sun Jan 22 02:16:39 2006
+++ /sys/netinet/in.c	Sun Jan 22 02:17:14 2006
@@ -466,7 +466,8 @@
 	s = splnet();
 	TAILQ_REMOVE(&ifp->if_addrhead, &ia->ia_ifa, ifa_link);
 	TAILQ_REMOVE(&in_ifaddrhead, ia, ia_link);
-	LIST_REMOVE(ia, ia_hash);
+	if (ia->ia_addr.sin_family == AF_INET)
+		LIST_REMOVE(ia, ia_hash);
 	IFAFREE(&ia->ia_ifa);
 	splx(s);
 
>Release-Note:
>Audit-Trail:
State-Changed-From-To: open->patched 
State-Changed-By: andre 
State-Changed-When: Tue Jan 24 16:20:59 UTC 2006 
State-Changed-Why:  
The fix has been committed in rev. 1.93 of in.c. 


Responsible-Changed-From-To: freebsd-bugs->andre 
Responsible-Changed-By: andre 
Responsible-Changed-When: Tue Jan 24 16:20:59 UTC 2006 
Responsible-Changed-Why:  

http://www.freebsd.org/cgi/query-pr.cgi?pr=92091 
State-Changed-From-To: patched->closed 
State-Changed-By: maxim 
State-Changed-When: Fri Apr 14 16:02:51 UTC 2006 
State-Changed-Why:  
Fixed in HEAD and RELENG_6.  Thanks for the submission! 

http://www.freebsd.org/cgi/query-pr.cgi?pr=92091 
>Unformatted:
