When removing enc(4) interface from rdomain, the kernel panics randomly
(memcpy() seems to copy outside of the mallocarray() boundaries) with something
like :
Data modified on freelist: word -35183699295756 of object 0xffff80000059da80
size 0x8 previous type free (invalid addr 0x7b44962aa448c22a)
kernel: protection fault trap, code=0
Stopped at malloc+0x4d3: movq 0x8(%r14),%rbx
Here is a script that trigger the bug :
#!/bin/sh
ifconfig enc0 rdomain 42
ifconfig enc0 rdomain 42
ifconfig enc0 rdomain 42
ifconfig enc0 -rdomain
ifconfig enc0 rdomain 42
ifconfig enc0 rdomain 42
ifconfig enc0 -rdomain
ifconfig enc0 -rdomain
ifconfig enc0 rdomain 42
ifconfig enc0 -rdomain
ifconfig enc0 -rdomain
ifconfig enc0 -rdomain
ifconfig enc0 -rdomain
ifconfig enc0 -rdomain
ifconfig enc0 rdomain 42
ifconfig enc0 rdomain 42
ls
Here is a fix :
Index: if_enc.c
===================================================================
RCS file: /cvs/src/sys/net/if_enc.c,v
retrieving revision 1.70
diff -u -p -r1.70 if_enc.c
--- if_enc.c 16 Oct 2017 08:22:25 -0000 1.70
+++ if_enc.c 24 Jun 2018 17:15:32 -0000
@@ -271,7 +271,7 @@ enc_setif(struct ifnet *ifp, u_int id)
if (id > RT_TABLEID_MAX)
return (EINVAL);
- if (id == 0 || id > enc_max_id) {
+ if (enc_ifps == NULL || id > enc_max_id) {
if ((new = mallocarray(id + 1, sizeof(struct ifnet *),
M_DEVBUF, M_NOWAIT|M_ZERO)) == NULL)
return (ENOBUFS);
