Package: radvd
Version: 1:1.6-1
Severity: important
Tags: upstream patch ipv6
When starting IPv6 nodes in my network shortly after radvd is started,
radvd sometimes crashes with a segfault. I have traced it to a coding
error in the clear_timer function of timer.c in the radvd source
distribution.
Under some circumstances, clear_timer() in timer.c is called when the
timer_lst argument's prev and next members are NULL. clear_timer tries
to follow these pointers without checking if they are valid or not,
resulting in a segfault. Rather than figuring out why an incorrect
timer_lst structure is being passed in, I have modified the code in the
clear_timer function to check these pointers before following them.
A patch is attached.
-- System Information:
Debian Release: 6.0
APT prefers testing
APT policy: (500, 'testing')
Architecture: i386 (i686)
Kernel: Linux 2.6.36.2 (SMP w/2 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Versions of packages radvd depends on:
ii adduser 3.112+nmu2 add and remove users and groups
ii libc6 2.11.2-9 Embedded GNU C Library: Shared lib
radvd recommends no packages.
radvd suggests no packages.
-- no debconf information
--- timer.c~ 2005-10-18 13:22:00.000000000 -0600
+++ timer.c 2011-01-27 12:44:28.000000000 -0700
@@ -114,8 +114,13 @@
sigaddset(&bmask, SIGALRM);
sigprocmask(SIG_BLOCK, &bmask, &oldmask);
- tm->prev->next = tm->next;
- tm->next->prev = tm->prev;
+ if (tm->prev != NULL) {
+ tm->prev->next = tm->next;
+ }
+
+ if (tm->next != NULL) {
+ tm->next->prev = tm->prev;
+ }
tm->prev = tm->next = NULL;
