Re: openbsd 5.7 crash

[Kenneth Westerback]

On 10 March 2015 at 11:36, Martin Pieuchot <mpieuc...@nolizard.org> wrote:
> On 10/03/15(Tue) 14:57, Henk Jan Agteresch wrote:
>> On Tue, 10 Mar 2015, Martin Pieuchot wrote:
>>
>> >
>> > Thanks for the bug report, I'm preparing ta diff, but I still fail
>> > to understand how it can work with 5.5.  If you still have a working
>> > 5.5 with this configuration could you paste me the output of:
>> >
>> > # netstat -rnf inet
>> >
>>
>> Routing tables
>>
>> Internet:
>> Destination        Gateway            Flags   Refs      Use   Mtu  Prio Iface
>> default            213.154.229.23     UGS        1      298     -     8 pcn0
>> 127/8              127.0.0.1          UGRS       0        0 33144     8 lo0
>> 127.0.0.1          127.0.0.1          UH         1        0 33144     4 lo0
>> 213.154.229.23     fe:54:00:37:02:d7  UHLS       1        0     -     8 pcn0
>> 213.154.236.189    213.154.236.189    H          0        0     -     4 gif0
>> 213.154.236.189/32 link#1             UC         0        0     -     4 pcn0
>> 224/4              127.0.0.1          URS        0        0 33144     8 lo0
>
> Here's a first diff that should prevent the stack smashing.  Could you
> run with it and tell me if the ARP entry gets overwritten as in 5.5?
>
> Index: netinet/if_ether.c
> ===================================================================
> RCS file: /cvs/src/sys/netinet/if_ether.c,v
> retrieving revision 1.146
> diff -u -p -r1.146 if_ether.c
> --- netinet/if_ether.c  11 Feb 2015 23:34:43 -0000      1.146
> +++ netinet/if_ether.c  10 Mar 2015 15:25:48 -0000
> @@ -399,6 +399,13 @@ arpresolve(struct arpcom *ac, struct rte
>                 return (EINVAL);
>         }
>         sdl = SDL(rt->rt_gateway);
> +       if (sdl->sdl_alen > 0 && sdl->sdl_alen != ETHER_ADDR_LEN) {
> +               log(LOG_DEBUG, "%s: %s: incorrect arp information\n", 
> __func__,
> +                   inet_ntop(AF_INET, &satosin(dst)->sin_addr,
> +                       addr, sizeof(addr)));
> +               m_freem(m);
> +               return (EINVAL);
> +       }
>         /*
>          * Check the address family and length is valid, the address
>          * is resolved; otherwise, try to resolve.
> Index: netinet6/nd6.c
> ===================================================================
> RCS file: /cvs/src/sys/netinet6/nd6.c,v
> retrieving revision 1.131
> diff -u -p -r1.131 nd6.c
> --- netinet6/nd6.c      11 Feb 2015 23:34:43 -0000      1.131
> +++ netinet6/nd6.c      10 Mar 2015 15:25:52 -0000
> @@ -1868,13 +1868,11 @@ nd6_storelladdr(struct ifnet *ifp, struc
>                 return (EINVAL);
>         }
>         sdl = SDL(rt->rt_gateway);
> -       if (sdl->sdl_alen == 0) {
> +       if (sdl->sdl_alen == 0 || sdl->sdl_alen != ETHER_ADDR_LEN) {

Isn't the "sdl->sdl_alen == 0" redundant here? i.e. 0 != ETHER_ADDR_LEN.

.... Ken

>                 char addr[INET6_ADDRSTRLEN];
> -               /* this should be impossible, but we bark here for debugging 
> */
> -               printf("nd6_storelladdr: sdl_alen == 0, dst=%s, if=%s\n",
> +               log(LOG_DEBUG, "%s: %s: incorrect nd6 information\n", 
> __func__,
>                     inet_ntop(AF_INET6, &satosin6(dst)->sin6_addr,
> -                       addr, sizeof(addr)),
> -                   ifp->if_xname);
> +                       addr, sizeof(addr)));
>                 m_freem(m);
>                 return (EINVAL);
>         }
>