Module Name: src Committed By: christos Date: Mon Dec 3 18:30:25 UTC 2012
Modified Files: src/sys/external/bsd/ipf/netinet: ip_dstlist.c Log Message: PR/47270: Paul Goyette: ipftest -N aborts 1. check for NULL before de-refencing; in particular sel is assigned to NULL, in the default case, and then couple of lines down we do sel-> 2. gcc appears to optimize u_32_t hash[4], to u_32_t hash, since we only use hash[0], disregarding the fact that we pass it to MD5Final() leading to stack corruption. Use an explicit union, so that the compiler stops butting its head where it shouldn't. XXX: pullup to 6 To generate a diff of this commit: cvs rdiff -u -r1.4 -r1.5 src/sys/external/bsd/ipf/netinet/ip_dstlist.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
Modified files: Index: src/sys/external/bsd/ipf/netinet/ip_dstlist.c diff -u src/sys/external/bsd/ipf/netinet/ip_dstlist.c:1.4 src/sys/external/bsd/ipf/netinet/ip_dstlist.c:1.5 --- src/sys/external/bsd/ipf/netinet/ip_dstlist.c:1.4 Sun Jul 22 12:31:26 2012 +++ src/sys/external/bsd/ipf/netinet/ip_dstlist.c Mon Dec 3 13:30:25 2012 @@ -1,4 +1,4 @@ -/* $NetBSD: ip_dstlist.c,v 1.4 2012/07/22 16:31:26 darrenr Exp $ */ +/* $NetBSD: ip_dstlist.c,v 1.5 2012/12/03 18:30:25 christos Exp $ */ /* * Copyright (C) 2012 by Darren Reed. @@ -1076,12 +1076,15 @@ ipf_dstlist_select(fr_info_t *fin, ippoo { ipf_dstnode_t *node, *sel; int connects; - u_32_t hash[4]; + union { + u_32_t hash[4]; + unsigned char bytes[16]; + } h; MD5_CTX ctx; int family; int x; - if (d->ipld_dests == NULL || *d->ipld_dests == NULL) + if (d == NULL || d->ipld_dests == NULL || *d->ipld_dests == NULL) return NULL; family = fin->fin_family; @@ -1139,8 +1142,8 @@ ipf_dstlist_select(fr_info_t *fin, ippoo sizeof(fin->fin_src6)); MD5Update(&ctx, (u_char *)&fin->fin_dst6, sizeof(fin->fin_dst6)); - MD5Final((u_char *)hash, &ctx); - x = hash[0] % d->ipld_nodes; + MD5Final(h.bytes, &ctx); + x = h.hash[0] % d->ipld_nodes; sel = d->ipld_dests[x]; break; @@ -1149,8 +1152,8 @@ ipf_dstlist_select(fr_info_t *fin, ippoo MD5Update(&ctx, (u_char *)&d->ipld_seed, sizeof(d->ipld_seed)); MD5Update(&ctx, (u_char *)&fin->fin_src6, sizeof(fin->fin_src6)); - MD5Final((u_char *)hash, &ctx); - x = hash[0] % d->ipld_nodes; + MD5Final(h.bytes, &ctx); + x = h.hash[0] % d->ipld_nodes; sel = d->ipld_dests[x]; break; @@ -1159,8 +1162,8 @@ ipf_dstlist_select(fr_info_t *fin, ippoo MD5Update(&ctx, (u_char *)&d->ipld_seed, sizeof(d->ipld_seed)); MD5Update(&ctx, (u_char *)&fin->fin_dst6, sizeof(fin->fin_dst6)); - MD5Final((u_char *)hash, &ctx); - x = hash[0] % d->ipld_nodes; + MD5Final(h.bytes, &ctx); + x = h.hash[0] % d->ipld_nodes; sel = d->ipld_dests[x]; break; @@ -1169,7 +1172,7 @@ ipf_dstlist_select(fr_info_t *fin, ippoo break; } - if (sel->ipfd_dest.fd_addr.adf_family != family) + if (sel && sel->ipfd_dest.fd_addr.adf_family != family) sel = NULL; d->ipld_selected = sel;