netbsd-bugs: kern/4444: ipnat might crash the system

Subject: kern/4444: ipnat might crash the system
To: None <gnats-bugs@gnats.netbsd.org, darrenr@cyber.com.au>
From: Dave Huang <khym@bga.com>
List: netbsd-bugs
Date: 11/07/1997 06:44:23
>Number:         4444
>Category:       kern
>Synopsis:       ipnat might crash the system
>Confidential:   no
>Severity:       serious
>Priority:       high
>Responsible:    kern-bug-people (Kernel Bug People)
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Fri Nov  7 04:50:02 1997
>Last-Modified:
>Originator:     Dave Huang
>Organization:
Name: Dave Huang     |   Mammal, mammal / their names are called /
INet: khym@bga.com   |   they raise a paw / the bat, the cat /
FurryMUCK: Dahan     |   dolphin and dog / koala bear and hog -- TMBG
Dahan: Hani G Y+C 22 Y++ L+++ W- C++ T++ A+ E+ S++ V++ F- Q+++ P+ B+ PA+ PL++
>Release:        NetBSD-1.3_ALPHA as of November 6, 1997
>Environment:
	
System: NetBSD dahan.metonymy.com 1.3_ALPHA NetBSD 1.3_ALPHA (SPIFF) #156: Thu Nov 6 06:24:34 CST 1997 khym@dahan.metonymy.com:/usr/src.local/sys/arch/i386/compile/SPIFF i386

IPFilter 3.2

>Description:
If ipnat has a mapping to 0/32, i.e. use the interface's current
address, but the interface has no IP address, it'll crash when it
tries to get the interface's IP address.

>How-To-Repeat:
Start a demand dial ppp connection to someplace, add a static route
through that ppp connection, then add a NAT mapping for that
interface, using 0/32 as the address to use for the source address.

For example:
  sloth ~# netstat -nI ppp1
  Name  Mtu   Network       Address              Ipkts Ierrs    Opkts Oerrs  Coll
  ppp1  1500  <Link>                                 0     0        0     0     0
  ppp1  1500  130.210       130.210.252.49           0     0        0     0     0
  sloth ~# netstat -rn|grep ppp1
  130.210            130.210.252.254    UGS         0        0      -  ppp1
  130.210.252.254    130.210.252.49     UH          1        0      -  ppp1
  sloth ~# ipnat -l
  List of active MAP/Redirect filters:
  map ppp1 10.1.1.64/28  -> 0.0.0.0/32  portmap tcp 1025:65000
  map ppp1 10.1.1.64/28  -> 0.0.0.0/32 

  List of active sessions:

Now kill the pppd, which will remove the interface's address, but keep
the static route around:
  Name  Mtu   Network       Address              Ipkts Ierrs    Opkts Oerrs  Coll
  ppp1* 1500  <Link>                                 0     0        0     0     0

>From another machine on the network, try to connect to a host that
will use that static route:
  dahan ~> ftp 130.210.2.10

Watch the countdown:
  fatal page fault in supervisor mode
  trap type 6 code 0 eip f01544f5 cs c0000008 eflags 10002 cr2 0 cpl c0000000
  panic: trap
  syncing disks... 7 7 6 4 done

  dumping to dev 1, offset 32641
  dump 8 7 6 5 4 3 2 1 succeeded


  rebooting...

Look at the core dump to see where it crashed:
  (gdb) list *0xf01544f5
  0xf01544f5 is in nat_ifpaddr (../../../../netinet/ip_nat.c:487).
  482                     ifa = ifa->ifa_list.tqe_next;
  483     #   else
  484                     ifa = ifa->ifa_next;
  485     #   endif
  486     #  endif
  487                     sin = (SOCKADDR_IN *)ifa->ifa_addr;
  488             }
  489             if (!ifa)
  490                     sin = NULL;
  491             if (!sin) {

>Fix:
--- /usr/src/sys/netinet/ip_nat.c	Thu Oct 30 07:08:25 1997
+++ ip_nat.c	Fri Nov  7 06:26:33 1997
@@ -484,7 +484,8 @@
 		ifa = ifa->ifa_next;
 #   endif
 #  endif
-		sin = (SOCKADDR_IN *)ifa->ifa_addr;
+		if (ifa)
+			sin = (SOCKADDR_IN *)ifa->ifa_addr;
 	}
 	if (!ifa)
 		sin = NULL;
>Audit-Trail:
>Unformatted: