Finally track down the reason for some of my occasional kernel crashes.
Route(1) has a bug that sends a bad message to the kernel. The kernel trusts it and crashes. Add some sanity checks so that we don't trust the user quite as much any more. (also add a comment in if_ethersubr.c)
This commit is contained in:
Julian Elischer
parent
87fc08e0db
commit
7f33a738c1
@ -31,7 +31,7 @@
|
||||
* SUCH DAMAGE.
|
||||
*
|
||||
* @(#)if_ethersubr.c 8.1 (Berkeley) 6/10/93
|
||||
* $Id: if_ethersubr.c,v 1.34 1997/03/24 11:33:11 bde Exp $
|
||||
* $Id: if_ethersubr.c,v 1.35 1997/05/10 10:01:31 jhay Exp $
|
||||
*/
|
||||
|
||||
#include <sys/param.h>
|
||||
@ -792,6 +792,9 @@ ether_resolvemulti(ifp, llsa, sa)
|
||||
|
||||
switch(sa->sa_family) {
|
||||
case AF_LINK:
|
||||
/*
|
||||
* No mapping needed. Just check that it's a valid MC address.
|
||||
*/
|
||||
sdl = (struct sockaddr_dl *)sa;
|
||||
e_addr = LLADDR(sdl);
|
||||
if ((e_addr[0] & 1) != 1)
|
||||
|
||||
@ -31,7 +31,7 @@
|
||||
* SUCH DAMAGE.
|
||||
*
|
||||
* @(#)rtsock.c 8.5 (Berkeley) 11/2/94
|
||||
* $Id: rtsock.c,v 1.26 1997/02/22 09:41:15 peter Exp $
|
||||
* $Id: rtsock.c,v 1.27 1997/04/27 20:01:00 wollman Exp $
|
||||
*/
|
||||
|
||||
|
||||
@ -506,6 +506,10 @@ rt_setmetrics(which, in, out)
|
||||
((a) > 0 ? (1 + (((a) - 1) | (sizeof(long) - 1))) : sizeof(long))
|
||||
#define ADVANCE(x, n) (x += ROUNDUP((n)->sa_len))
|
||||
|
||||
/*
|
||||
* Extract the addresses of the passed sockaddrs.
|
||||
* Do a little sanity checking so as to avoid bad memory references.
|
||||
*/
|
||||
static void
|
||||
rt_xaddrs(cp, cplim, rtinfo)
|
||||
register caddr_t cp, cplim;
|
||||
@ -515,9 +519,23 @@ rt_xaddrs(cp, cplim, rtinfo)
|
||||
register int i;
|
||||
|
||||
bzero(rtinfo->rti_info, sizeof(rtinfo->rti_info));
|
||||
for (i = 0; (i < RTAX_MAX) && (cp < cplim); i++) {
|
||||
for (i = 0; i < RTAX_MAX; i++) {
|
||||
if ((rtinfo->rti_addrs & (1 << i)) == 0)
|
||||
continue;
|
||||
/*
|
||||
* It won't fit. Pretend it doesn't exist.
|
||||
* Would return EINVAL if not void
|
||||
*/
|
||||
if ( (cp + sa->sa_len) > cplim )
|
||||
return;
|
||||
/*
|
||||
* there are no more.. quit now
|
||||
* If there are more bits, they are in error.
|
||||
* I've seen this. route(1) can evidently generate these.
|
||||
* This causes kernel to core dump.
|
||||
*/
|
||||
if (sa->sa_len == 0)
|
||||
return;
|
||||
rtinfo->rti_info[i] = sa = (struct sockaddr *)cp;
|
||||
ADVANCE(cp, sa);
|
||||
}
|
||||
|
||||
Loading…
x
Reference in New Issue
Block a user