Re: openbsd 5.7 crash

Tue, 10 Mar 2015 08:39:40 -0700 

On 10/03/15(Tue) 14:57, Henk Jan Agteresch wrote:
> On Tue, 10 Mar 2015, Martin Pieuchot wrote:
> 
> > 
> > Thanks for the bug report, I'm preparing ta diff, but I still fail
> > to understand how it can work with 5.5.  If you still have a working
> > 5.5 with this configuration could you paste me the output of:
> > 
> > # netstat -rnf inet
> > 
> 
> Routing tables
> 
> Internet:
> Destination        Gateway            Flags   Refs      Use   Mtu  Prio Iface
> default            213.154.229.23     UGS        1      298     -     8 pcn0 
> 127/8              127.0.0.1          UGRS       0        0 33144     8 lo0  
> 127.0.0.1          127.0.0.1          UH         1        0 33144     4 lo0  
> 213.154.229.23     fe:54:00:37:02:d7  UHLS       1        0     -     8 pcn0 
> 213.154.236.189    213.154.236.189    H          0        0     -     4 gif0 
> 213.154.236.189/32 link#1             UC         0        0     -     4 pcn0 
> 224/4              127.0.0.1          URS        0        0 33144     8 lo0  

Here's a first diff that should prevent the stack smashing.  Could you
run with it and tell me if the ARP entry gets overwritten as in 5.5?

Index: netinet/if_ether.c
===================================================================
RCS file: /cvs/src/sys/netinet/if_ether.c,v
retrieving revision 1.146
diff -u -p -r1.146 if_ether.c
--- netinet/if_ether.c  11 Feb 2015 23:34:43 -0000      1.146
+++ netinet/if_ether.c  10 Mar 2015 15:25:48 -0000
@@ -399,6 +399,13 @@ arpresolve(struct arpcom *ac, struct rte
                return (EINVAL);
        }
        sdl = SDL(rt->rt_gateway);
+       if (sdl->sdl_alen > 0 && sdl->sdl_alen != ETHER_ADDR_LEN) {
+               log(LOG_DEBUG, "%s: %s: incorrect arp information\n", __func__,
+                   inet_ntop(AF_INET, &satosin(dst)->sin_addr,
+                       addr, sizeof(addr)));
+               m_freem(m);
+               return (EINVAL);
+       }
        /*
         * Check the address family and length is valid, the address
         * is resolved; otherwise, try to resolve.
Index: netinet6/nd6.c
===================================================================
RCS file: /cvs/src/sys/netinet6/nd6.c,v
retrieving revision 1.131
diff -u -p -r1.131 nd6.c
--- netinet6/nd6.c      11 Feb 2015 23:34:43 -0000      1.131
+++ netinet6/nd6.c      10 Mar 2015 15:25:52 -0000
@@ -1868,13 +1868,11 @@ nd6_storelladdr(struct ifnet *ifp, struc
                return (EINVAL);
        }
        sdl = SDL(rt->rt_gateway);
-       if (sdl->sdl_alen == 0) {
+       if (sdl->sdl_alen == 0 || sdl->sdl_alen != ETHER_ADDR_LEN) {
                char addr[INET6_ADDRSTRLEN];
-               /* this should be impossible, but we bark here for debugging */
-               printf("nd6_storelladdr: sdl_alen == 0, dst=%s, if=%s\n",
+               log(LOG_DEBUG, "%s: %s: incorrect nd6 information\n", __func__,
                    inet_ntop(AF_INET6, &satosin6(dst)->sin6_addr,
-                       addr, sizeof(addr)),
-                   ifp->if_xname);
+                       addr, sizeof(addr)));
                m_freem(m);
                return (EINVAL);
        }

Reply via email to