>Number:         1120
>Category:       kern
>Synopsis:       options GATEWAY statistics array bounds are not checked.
>Confidential:   no
>Severity:       serious
>Priority:       high
>Responsible:    kern-bug-people (Kernel Bug People)
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Wed Jun  7 03:05:07 1995
>Originator:     Neil J. McRae
>Organization:
Domino.
>Release:        25/5/95
>Environment:
	
Systerm :NetBSD w.demon.co.uk 1.0A NetBSD 1.0A (DEMON) #0: Thu May 25 18:25:31 BST 1995   root@w.demon.co.uk:/usr/src/sys/arch/i386/compile/DEMON i386

>Description:
	An array for statistics is created at bootime on an options GATEWAY
kernel, it is written to each time a packet is forwarded, never checking 
for array bounds, If a network interface is added after boottime, it will
write past the end of the array and into whatever is stored past it's end.

>How-To-Repeat:
	Build an options GATEWAY kernel and add a network interface after boot 
time, eventually this will cause problems. THe problem was forwarded to me and
I personally have been unable to repeat it although, I am assured the problem
exists.
>Fix:
	Not a fix bu a slight workaround is to options "IPFORWARDING=1" however,
this doesn't give enough mbuf clusters unless NMBCLUSTERS= is used, which is a
hack, Or so I am told.
>Audit-Trail:
>Unformatted: